Provides recommended procedures for the reporter of a vulnerability: # Report the vulnerability to the National Cyber Security Centre SK-CERT as soon as it is detected in order to minimize the risk of abuse by the attackers. # For confidentiality, it is recommended to encrypt the communication via PGP. # The vulnerability report must include a detailed description of the problem. Suggestion of the vulnerability solution is also possible. # It is recommended to include a detailed contact information in the report, along with the means of secure communication (e. g. PGP fingerprint). # SK-CERT may assist the reporter by taking further steps: * to assess a reported vulnerability from an expert viewpoint, * to register CVE number for vulnerability, * to identify entities concerned and their respective contacts (a manufacturer, national CSIRTs, affected users), * to contact entities concerned either with the reporter identity or with the reporter anonymity. # The reporter may specify a vulnerability removal period for the affected entity during which the vulnerability is not disclosed publicly. If the entity does not respond to the report and the deadline expires, the reporter may disclose the vulnerability publicly. It is a good practice to add vulnerability solution methods or mitigation to the vulnerability report. The default period is 30 to 90 days, depending on the nature of the vulnerability  Provides recommended procedures for the affected entities of a vulnerability: * a process of vulnerability reporting (within the process each reported issue should be assessed and not just limited to the vulnerabilities with higher severity), * a process of vulnerability prioritisation and management, * a process of vulnerability disclosure to the public. # The response to each report should be prompt and adequate to the reported vulnerability. # The vulnerability management process should be given a high priority and vulnerabilities should be fixed in the next update. # The vulnerability management process should also include identifying potential victims and the method of their notification. # If the vulnerability is to be disclosed to the public, the company will determine the date of disclosure and notify the reporter if the vulnerability was not detected by the company. After consulting the reporter, it will also choose an appropriate channel for vulnerability disclosure to the community and the public. # The company may reward the reporter for reporting the vulnerability. It may also "offer a reward" for finding vulnerabilities in its products. This procedure is recommended to increase the security of the company's products and services. # Vulnerability reporting should be seen as an opportunity to improve products and a chance to learn about the vulnerability earlier than its abuse causes damage to the user, operator or manufacturer of the product or service. Therefore, it is recommended to treat the reporter gratefully as a person who wants to help as a friendly co-worker. This, of course, does not preclude legal action if the reporter's actions are manifestly unethical or illegal.