The OCAP vulnerability disclosure model is based on CERT (Computer Emergency Readiness Team) policy.
Vulnerabilities discovered during the course of an OCAP audit will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. Disclosures made by OCAP will include credit to the researcher unless otherwise requested by the researcher.
It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.
Vulnerabilities discovered by us will be forwarded to US-CERT who will coordinate with any affected downstream vendors as soon as practical after they receive the report. The name and contact information of a designated OCAP disclosure coordinator will be forwarded to the affected vendors. CERT will advise OCAP of significant changes in the status of any vulnerability we have reported to the extent possible without revealing information provided to them in confidence. CERT will apprise any affected vendors of their publication plans and negotiate alternate publication schedules with the affected vendors when required.