Versions Compared

Old Version 5

changes.mady.by.user Garret Wassermann

Saved on

compared with

New Version 6

changes.mady.by.user Garret Wassermann

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

An Overview of the Coordination Process

This process at times involves several organizations.

Ideal Disclosure Process

When working directly with the vendor, generally the coordinated disclosure process proceeds as follows:

  1. A reporter learns of a vulnerability (either directly as a user or researcher, or indirectly from someone else)
  2. Reporter finds vulnerable product's vendor, reports vulnerability to vendor directly
  3. Vendor analyzes the report, verifies information is correct, and quickly acknowledges reporter
  4. Vendor provides information to reporter regarding patching the issue and the timeframe until the patch is released publicly, reporter agrees to publish on the same day
  5. Reporter may test the patch before public release and provide findings to vendor
  6. Toward the end of the timeframe, before the patch is released, both vendor and reporter draft security advisories and share with each other for comment
    1. reporter and vendor may request a CVE ID from MITRE, if the vendor is not already a CVE Naming Authority
  7. The patch for the vulnerability may released privately to affected downstream vendors (customers/users of the vulnerable product) first
  8. On an agreed-upon date, public security advisories are published detailing the issue, and how to obtain the patch or mitigate the issue
    1. typically, the vendor will release an advisory simultaneously with the reporter publishing an advisory on a security mailing list such as Bugtraq or Full Disclosure, or possibly even a personal blog.
    2. At some later time (typically fairly quickly, especially if the vendor is a CVE Naming Authority), MITRE will update the CVE ID record on its CVE List website.
    3. After the MITRE CVE ID record is published, the National Vulnerability Database (NVD) will publish its entry on the CVE ID, which provides extra information like vulnerability scoring.

End result: vulnerability is mitigated or addressed in some manner, tracked with a CVE ID, and the public is informed through advisories about how to obtain the mitigation.

Complications

The above description is very idealized, while every coordinated disclosure case is somewhat unique and may have special handling requirements or constraints. The important idea is the word "coordinated": the formula presented above can be tweaked as much as necessary as long as both parties are kept in the loop (coordinate!).

In some simple cases, should a vendor become unresponsive, some reporters will proceed to publishing a security advisory. This is common, especially in cases where the vulnerability was initially established but then no date is set for a patch release. This is fine to do, but CERT/CC recommends to first reach out to the vendor with a draft of your advisory before publishing.

However, other cases can be more complex, such as reports that affect multiple vendors, only some of which are responsive to the reporter. In general, the CERT/CC is here to help with scenarios that go "off the rails". This can include many different reasons, such as:

...