Page History
...
For most reporters, the contact management process simply consists of maintaining a vendor's email address and PGP/GPG key in compatible mail client software. Contact management becomes vitally important to multiparty CVD, and is a particular concern for third-party coordinators. A common choice is Thunderbird with Enigmail [7], but other open source solutions such as Outlook with gpg4win \ [8], or KMail with KGpg/Kleopatra [9] and proprietary solutions such as Outlook with Symantec Encryption Desktop [3] also exist.
Finding vendor contacts can be difficult. Not all vendors include contact information in an easily searchable page, such as a Contact Us page linked from the vendor's homepage. Some alternatives include searching old mailing lists, using social media, or even sending physical letters to a business address [10].
In order to protect privacy during the disclosure process, mailing lists or simply carbon-copying all recipients to a single message is likely not an acceptable action in most scenarios. Vendors in many cases would like to keep their vulnerability information private except for what is specifically intended to be shared. At the CERT/CC, we have developed some in-house mailing scripts that auto-generate individual encrypted emails, one for each vendor we attempt to reach. In this way, we can maintain privacy up front, but can introduce two vendors should there be mutual interest in collaboration. Our current tools were written with our internal systems and network policies in mind. Other coordinators may look into similar efforts. We covered communication topologies for CVD in Section 5.5.2.
Bug Bounty Platforms
...
A number of third-party
...
CVD
...
platforms
...
now
...
exist
...
to
...
facilitate
...
communication
...
between
...
vendors
...
and
...
reporters
...
[11
...
, 12, 13, 14].
...
Although
...
they
...
are
...
often
...
referred
...
to
...
as
...
bug
...
bounty
...
platforms,
...
often
...
the
...
"bounty"
...
aspect
...
is
...
in
...
fact
...
optional—vendors
...
can
...
use
...
bug
...
bounty
...
platforms
...
to
...
receive
...
reports
...
without
...
needing
...
to
...
compensate
...
reporters
...
unless
...
they
...
choose
...
to
...
do
...
so.
...
CVD
...
platforms
...
provide
...
a
...
secure
...
communications
...
channel
...
(HTTPS)
...
for
...
reporters
...
to
...
communicate
...
with
...
vendors.
...
These
...
platforms
...
generally
...
allow
...
two-way
...
communications,
...
making
...
it
...
easy
...
for
...
ongoing
...
discussion
...
between
...
vendor
...
and
...
reporter.
...
This
...
channel
...
is
...
usually
...
hosted
...
by
...
a
...
third
...
party
...
in
...
a
...
software-as-a-service
...
model,
...
which
...
may
...
be
...
important
...
to
...
some
...
organizations
...
that
...
are
...
not
...
able
...
to
...
maintain
...
their
...
own
...
infrastructure
...
due
...
to
...
resource
...
constraints.
...
Of
...
course,
...
having
...
vulnerability
...
information
...
hosted
...
on
...
third-party
...
infrastructure
...
may
...
also
...
present
...
a
...
data
...
privacy
...
risk
...
to
...
some
...
organizations,
...
so
...
it
...
is
...
important
...
to
...
consult
...
internal
...
policies
...
before
...
determining
...
if
...
a
...
CVD
...
platform
...
fits
...
your
...
organization's
...
needs
...
and
...
requirements.
...
An
...
important
...
note
...
regarding
...
these
...
platforms
...
is
...
that
...
the
...
CVD
...
platform
...
by
...
its
...
nature
...
requires
...
a
...
login.
...
As
...
explained
...
in
...
our
...
discussion
...
in
...
the
...
last
...
section,
...
requiring
...
an
...
account
...
may
...
discourage
...
some
...
reporters
...
or
...
other
...
organizations
...
from
...
joining
...
the
...
platform,
...
locking
...
them
...
out
...
of
...
discussion.
...
Organizations
...
should
...
consider
...
whether
...
the
...
benefits
...
of
...
using
...
a
...
CVD
...
service
...
outweigh
...
this
...
concern.
Case and Bug Tracking
Case tracking systems such as bug trackers or trouble ticket systems are often used by vendors, coordinators, and reporters for tracking vulnerability reports. Such systems can centralize the vulnerability response process and provide the ability to track individual cases. Case tracking systems also provide a means of collecting data about recurring security issues and the performance of the response process itself.
...
Having an n internal testing infrastructure is vital to proper triage and resolution of vulnerability reports as we discussed in Section 4.3.1. Not only is testing useful for confirming reports, or reproducing and isolating bugs; it can also serve as a platform for an organization to develop its own vulnerability discovery capability.
...
Overview
Content Tools