See https://www.owasp.org/index.php/Vulnerability_Disclosure_Cheat_Sheet.

 

Unless (ISC)² is the vulnerable web site, I recommend keeping unrelated parties out of any "article".  The more people you drag in, the more conversations you end up having with lawyers.

---

@kbruce wrote:

I am writing my first article, which will be exposing a vulnerable website, its disclosure of PII and its potential to assist in phishing attempts.

 

---

Keith, 

A big part of the answer depends on how and where you plan to publish. If you are thinking of self-publishing, like in a blog, I recommend reconsidering that choice, given the mess full disclosure of a site vulnerabilities brings on (we're talking lots of lawyers). Rather, consider publishing in an established professional journal, magazine, or conference, and follow their guidelines for publishing disclosures of vulnerabilities.

If you are not familiar with the ongoing infosec topic of responsible disclosure, please search the net for that term and read up on the various positions on notification and responsibility. 

 

 

Congrats on your first article! That is an exciting step.

 

Best regards,

 

 

Amanda @amandavanceISC2 

This thread seems more appropriate for the Career area than in Member Support. If Keith @kbruce is OK with changing, can you move it over there?

 

Thanks,

 

 

> kbruce (Viewer) posted a new topic in Member Support on 10-22-2018 09:57 AM in the (ISC)² Community :

> Hi Folks, I am writing my first article, which will be exposing a
> vulnerable website, its disclosure of PII and its potential to assist in
> phishing attempts. Knowing this, what is the proper protocol that I should
> follow before publishing, to avoid future repercussions to protect myself
> and ISC2.org?

Are you identifying yourself with ISC2 in the article?

>  Should I provide the exposed company with ample warning?

Definitely. I would have already notified them before starting to write the article
...
 
> If so, what would be considered ample time (30, 60 or 90 days notice)?

Depends upon a number of factors. How many people/users does this vulnerability
affect? How complex is the issue? How long is it reasonable to expect the
company to take to fix it? If the breach is potentially serious for a large number
of people, it might be proper to publish and warn people before the company has
had time to patch, but, in most less serious cases, the company should have time
to fix the issue before you alert the "dark side" that they have a chance to attack.

> Should I publish
> anonymously?

Depends upon how well you've done your work ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I clicked without thinking. That's what using a Mac does to you,
gives you a feeling of invincibility. - Martin Wehlou, 20061222
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB