What is the process for submitting a Zero Day vulnerability?

[JungleCats]

Hey there guys,

I've found a Zero Day vulnerability (Just URI XSS) though it is affecting anywhere in the range of ~6M websites (according to Google).

I was wondering what the process I should follow is. (Report to vendor, wait for them to update software then disclose?)

I also was wondering the legality of this, am I likely to get into any kind of trouble here?

~JungleCats

[netcorps]

You could read up on http://en.wikipedia.org/wiki/Responsible_disclosure

Preferrably contact the vendor directly without publishing your findings online. Give them time to fix the issue. If they do not react and you feel there is a great danger if you do not disclose the existence of this vulnerability, publish it.

[JungleCats]

Hey there netcorps,

Thanks for the reply. I think that's the way I'll go about it.

Much appreciated!

[merinid]

Watch out. Each vendor / website has processes you may want to follow. You could also get in touch with http://www.us-cert.gov/. They are helpful in providing advice and guidance.

[JungleCats]

I appreciate the reply, I'll be sure to bookmark the link.