Creating and Getting a Security Advisory Published

Question

This question comes from my experience with the following question: http://stackoverflow.com/questions/492748/new-responses-icon-on-so-crashes-ie7-closed

In that question, you will see the effort I put fourth in debugging this crash in IE, and in doing so, I can see the potential threat of exploitation and remote code execution.

So, being that I spent the time already, I was wondering if anyone knows all the steps and proper process/procedures one has to take to actually get a real security advisory published? I've never done it, and a couple quick searches didn't turn up anything on the subject.

It's been a week since I posted the question, so this exploit has mold growing on it already, but I still haven't seen it addressed yet, so the threat still exists.

If you have done this type of thing before, would you be willing to help someone out?

Answer 1

The first step is to contact the vendor.

A quick google revealed this page, which, if you click on "I need to report a possible security vulnerability to Microsoft.", instructs you to send a mail to secure[at]microsoft.com. Honestly I'd give that a shot.

Note that after the initial "thank you" mail, you may or may not hear anything back from them until they make decisions about the severity and urgency of the issue, or even until you see the update notification pop up on your own machine.