Page History

...

Prior research into vulnerability disclosure practices ([1) has ] has shown that neither approach is socially optimal. Thus, we are given to hope that we can improve on these extremes by striking a balance in between. But doing so requires several questions to be answered: how much information should be released? To whom? And when? Do you wait for a patch to be deployed before announcing the vulnerability's existence? Do you wait for the patch to be available but not yet deployed? Is it okay to acknowledge that you know of a vulnerability in a product without providing any other details?

...

The Forum of Incident Response and Security Teams (FIRST) ([2)], which consists of many public and private organizations and companies involved in vulnerability and security incident handling, has established a Vulnerability Coordination Special Interest Group to develop some common CVD best practices and guidelines ([3)]. While the existence of individual vulnerabilities may be unexpected and surprising, these common practices should help lead to fewer surprises for all stakeholders in the CVD process itself.

Governments and international organizations also recognize the need for coordinated vulnerability disclosure practices. In 2015, the Department of Commerce's National Telecommunications and Information Administration initiated a Multistakeholder Process for Cybersecurity Vulnerabilities ([4) ] to

develop a broad, shared understanding of the overlapping interests between security researchers and the vendors and owners of products discovered to be vulnerable, and to establish a consensus about voluntary principles to promote better collaboration. The question of how vulnerabilities can and should be disclosed will be a critical part of the discussion, as will how vendors receive and respond to this information. However, disclosure is only one aspect of successful collaboration.

...