To disclose or not to disclose... The tough question. So far I've dealt with: CERT, Microsoft, ZDI, iDefense, Cisco, Juniper, Foundry, F5 Networks, IBM, SAP, Digium, CACE (Wireshark), Symantec, VMWare, Trend Micro and some others (quite a few eh?)... The first questions to ask yourself is: 1) Is it a mission critical bug where it needs fixing RIGHT NOW 2) What is the purpose of your disclosure, for the sake of getting the bug fixed, for the sake of adding your name alongside a CVS number (don't laugh careers are built on it)
In re: 1) If it's mission critical, I suggest finding the appropriate contact at the vendor AND cc'ing CERT on your submission. This holds the vendor responsible since its not a secret between two parties - CERT is acting as a proxy
In re: 1) Dealing directly with CERT bypassing the vendor is a horribly long process, I know this because I have about 52+ issues with them on ONE vendor alone.
Or re: 2) If the purpose of your disclosure is fortune or fame, head over to ZDI and get paid for the research WHILE keeping your name on the advisory.
What you want to do is give the vendor time to replicate the issues while holding them accountable. For example, ZDI has a 6 month time frame for the vendor to provide a fix. (http://dvlabs.tippingpoint.com/blog/2010/08/03/zdi-disclosure-changes
) In doing this (setting a time limit) they're giving the vendor the opportunity to get it right as opposed to just leaving things up in smoke. I have dealt with a vendor now for 2 1/2 years whose yet to respond to my advisories. Because of the sensitivity of the bug and the application it affects (it is a huge one) I decided to just shrug my shoulders. Someone else will eventually re-discover it. So you have a choice to make that no one can answer... Disclose it to the vendor, disclose it to CERT, disclose it to a brokering house (ZDI, iDefense, etc)... Whichever you choose, I would also put forth in writing a timetable of at least MINIMUM 3 months for a resolution. Otherwise vendors won't take it serious and you will see something lingering for years on end (HP has had bugs out there for over 3 years).