...

• What information should be provided about the vulnerability?
• Where should this information be provided?
• What, if any, additional measures should be taken to draw attention to the existence of the vulnerability or the availability of its fix?

Prepare and Circulate a Draft

...

Once the draft circulation phase is complete, the next step is publishing the vulnerability document to whatever channels have been identified during previous phases.

Some vendors have a specific website that lists all their security advisories to date. Others might email the disclosure to a user mailing list or a security mailing list such as Full Disclosure [2] or BugTraq [1]. Reporters themselves may also chose to disclose by posting the advisory to a mailing list or including it in a personal or company blog. A common goal for reporters in the CVD process is to synchronize their publication with the vendor's response. As a result, near-simultaneous publication occurs quite often.

It is generally courteous for the vendor and reporter to contact each other after disclosure to inform one another that the disclosure went through as planned and provide URLs to the published documents.

...

Avoid Silent Patches

Many vulnerability reports can be similar, and sometimes a vendor or coordinator might receive multiple reports of similar vulnerabilities at the same time. Sometimes this is due to independent discovery, which we discuss in in Section 6.5. Other times it reflects a report traversing multiple paths to arrive at its destination within the CVD process. This is fairly common in cases where a vulnerability affects products from multiple vendors. Using a common identifier improves coordination as it ensures that all coordinating parties can keep track of the issue.

The most common identifier in use today is the CVE ID [3], which is meant as a globally unique identifier for a public vulnerability report. CVE IDs can be obtained from the CVE Project at MITRE or one of several CVE Numbering Authorities (CNAs) established by MITRE—typically the vendors of common software products themselves [4]. Both reporters and vendors can request a CVE ID, but reporters should first check if the vendor they are coordinating with is already a CNA. This identifier should be included in any pre-disclosure shared drafts, so that all parties are aware of the common identifier.

Many system deployers use vulnerability scanning tools to discover systems on their network that need to have patches applied. In turn, many vulnerability scanning tools depend on public vulnerability databases such as NVD. Furthermore, NVD entries are largely dependent on CVE ID assignments. When vendors issue updates without acquiring CVE IDs for the vulnerabilities they address, the patch can go unnoticed by the vulnerability databases, scanning tools, and deployers. Therefore we strongly recommend that vendors acquire as many vulnerability IDs as necessary to clearly indicate which vulnerabilities are fixed by specific patches.

A related issue arises when vendors fail to increment their product version numbers when issuing a fix for one or more vulnerabilities. This makes it much harder for coordinators, vulnerability database providers, vulnerability scanning tool vendors, and deployers to differentiate systems affected by a vulnerability from those that are not.

Where to Publish

Publicly disclosing the existence of a vulnerability and the availability of its fix is usually considered to be the primary goal of the CVD process.

...