: We frequently see requests for contact on this mailing list. Readers : are encouraged to ensure that their software vendors are aware of the : following documents, which have more specific guidelines for vendors to : establish. Because these documents have been co-authored by major : organizations, they might provide more leverage for researchers who have : difficulty in reaching unresponsive or uninterested vendors. Whether you : subscribe to the whole "responsible disclosure" process or not, : presumably most of us agree that it's important for vendors to be easily : reachable. : The US Department of Homeland Security's "Vulnerability Disclosure : Framework" document here: : : [..] : : Those are from : http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf If an organization doesn't follow the above guidelines for any reason, they should at the very least make a reasonable effort to follow RFC 2142. ABSTRACT This specification enumerates and describes Internet mail addresses (mailbox name @ host reference) to be used when contacting personnel at an organization. Mailbox names are provided for both operations and business functions. Additional mailbox names and aliases are not prohibited, but organizations which support email exchanges with the Internet are encouraged to support AT LEAST each mailbox name for which the associated function exists within the organization. Specifically section 4 which requests the use of a 'security' mailbox. 4. NETWORK OPERATIONS MAILBOX NAMES Operations addresses are intended to provide recourse for customers, providers and others who are experiencing difficulties with the organization's Internet service. MAILBOX AREA USAGE ----------- ---------------- --------------------------- ABUSE Customer Relations Inappropriate public behaviour NOC Network Operations Network infrastructure SECURITY Network Security Security bulletins or queries