[PEN-TEST] disclosure and contact information

[Ben Ford <bford () ERISKSECURITY COM>]

I just had a discussion with the higher-ups at the company I work for
regarding vulnerability disclosure.  It is SOP (and common curtesy) for
most companies to give software companies a week or so advance
notification when a vulnerability is found.  We are in the process of
developing our policies and came to a point of contention here.  We both
agree that the vulnerabilities should be made public on our website, but
he does not want to give advance notification to companies.  His
reasoning for this is simple.  He doesn't want to invest the time to
track down contact information for each and every company and/or product
we end up dealing with.

To counter this point, is there a database somewhere with such contact
information?  It would have to be searchable by company and by product.
It would only return contact information.  A phone number, email etc.
If there is not, is anybody interested in joining forces to create one?

-b