Page History
...
- consumer products, such as home automation and the internet of things (IoT)
- internet service providers (ISPs) and the makers of devices that access ISP services: internet modems, routers, access points, and the like
- mobile phone manufacturers and service providers
- industrial control systems, building automation, HVAC manufacturers
- infrastructure suppliers and increasingly "smart" utility services including water and sewer services and the energy industry
- transportation services, including the airline and automotive industries
- medical devices and health-related device manufacturers
...
Furthermore,
...
since
...
many
...
modern
...
products
...
are
...
in
...
fact
...
composed
...
of
...
software
...
and
...
hardware
...
components
...
from
...
multiple
...
vendors,
...
the
...
CVD
...
process
...
increasingly
...
involves
...
multiple
...
tiers
...
of
...
vendors,
...
as
...
we
...
discuss
...
in
...
...
...
For
...
example,
...
the
...
CVD
...
process
...
for
...
a
...
vulnerability
...
in
...
a
...
software
...
library
...
component
...
may
...
need
...
to
...
include
...
the
...
originating
...
author
...
of
...
the
...
vulnerable
...
component
...
as
...
well
...
as
...
all
...
the
...
downstream
...
vendors
...
who
...
incorporated
...
that
...
component
...
into
...
their
...
products.
...
Each
...
of
...
these
...
vendors
...
in
...
turn
...
will
...
need
...
to
...
update
...
their
...
products
...
in
...
order
...
for
...
the
...
fix
...
to
...
be
...
deployed
...
to
...
all
...
vulnerable
...
systems.
...
The
...
NTIA
...
Awareness
...
and
...
Adoption
...
Working
...
Group
...
survey
...
(previously
...
mentioned
...
in
...
...
2.2)
...
found
...
the
...
following
...
[1]:
...
60-80% of the more mature vendors followed CVD practices
76% of those mature vendors developed their vulnerability handling procedures in-house.
Vendors' perceived need for a vulnerability disclosure policy was driven by a sense of corporate responsibility or customer demand.
Only a third of responding companies considered and/or required suppliers to have their own vulnerability handling procedures.
...
- receive reports
- triage, analyze, and test claims made in reports received
- fix bugs
- distribute patch(es)
- (recommended) publish a document
- (recommended) improve internal development process
...
The
...
ISO/IEC
...
standards
...
29147
...
_Vulnerability
...
disclosure_
...
and
...
30111
...
_Vulnerability
...
handling
...
processes_
...
offer
...
specific
...
models
...
for
...
external-
...
and
...
internal-facing
...
vendor
...
vulnerability
...
response
...
practices.
...
Readers
...
are
...
encouraged
...
to
...
review
...
and
...
apply
...
those
...
standards
...
to
...
their
...
operational
...
vulnerability
...
response
...
practice.
...
ISO/IEC
...
29147
...
describes
...
an
...
outward-facing
...
CVD
...
process
...
[2].
...
ISO/IEC
...
30111
...
addresses
...
the
...
internal
...
processes
...
associated
...
with
...
vendor
...
vulnerability
...
response
...
[3].
Evaluating the Vendor Security Response Process
...
There are various sub-roles one might find within a vendor organization. In small organizations, an individual might play all the sub-roles at once. Larger organizations often have teams that correspond to the sub-roles identified here. Each of these sub-roles has a part to play in the vendor's vulnerability response practice.
PSIRT
...
A
...
vendor
...
might
...
choose
...
to
...
establish
...
a
...
Product
...
Security
...
Incident
...
Response
...
Team
...
(PSIRT).
...
This
...
is
...
similar
...
to
...
a
...
Computer
...
Security
...
Incident
...
Response
...
Team
...
(CSIRT),
...
but
...
is
...
engaged
...
for
...
product
...
security
...
"incidents"
...
(e.g.,
...
vulnerability
...
reports
...
and
...
reports
...
of
...
exploitation
...
of
...
the
...
company's
...
products).
...
The
...
PSIRT
...
acts
...
as
...
an
...
interface
...
between
...
the
...
public
...
and
...
the
...
developers.
...
Examples
...
include
...
the
...
Microsoft
...
Security
...
Response
...
Center
...
(MSRC)
...
[4]
...
and
...
Cisco
...
PSIRT
...
[5]
...
.
...
Many
...
vendor
...
PSIRTs
...
are
...
active
...
in
...
the
...
Forum
...
of
...
Incident
...
Response
...
and
...
Security
...
Teams
...
(FIRST)
...
[7].
Developers
For vendors of sufficient size to have a dedicated PSIRT, the vulnerability response and development processes are likely found in different parts of the organization. The development role usually has the responsibility to
...
Although a single vendor is usually the originator of a patch for a given vulnerability, this is not always the case. Some vendors will have products affected by a vulnerability while they are not the originator of the initial fix. Ideally the CVD process should cover not just the patch originator but also the downstream vendors. The complexity of the software supply chain can make this difficult to coordinate as we discuss in Section 5.4.2.
Process Improvement
Having a mechanism to receive and track the disposition of vulnerability reports is an important first step in establishing a vendor's vulnerability response capability. But it should not stop there; vendors should strive for continuous improvement of their software development process.
Improving the development process can reduce the number of vulnerabilities in future products. Vendors can establish a feedback loop by performing a root cause analysis of vulnerabilities reported. Lessons learned can then inform modifications to the development process. Some of the ways vulnerability response can feed back into the development lifecycle include the following:
...
Overview
Content Tools