_______________________________________________________________________________

                          Nomad Mobile Research Centre
                             A N N O U N C E M E N T
                                  www.nmrc.org
                        Simple Nomad [thegnome@nmrc.org]
                                    10Sep1999
_______________________________________________________________________________


NMRC has had a number of vendors ask about our methods for gathering 
information and disclosing bugs. So we are formalizing things into this policy
to point the vendors at something.

If we find a security flaw, hole, or bug in software, we will first work to
verify the basics surrounding said problem. Once we have done that, we will
contact the vendor with enough technical details to reproduce the problem, and
might supply source code for an exploit if it seems appropriate.

If the problem is considered a very high priority problem, we will give the 
vendor a month's notice before we go public. Otherwise they have a week to 
respond.

We will certainly alter this timetable if the problem is actively being
exploited, if it was previously reported to the vendor, or if independently
discovered by another person who publicizes the information.

_______________________________________________________________________________