Versions Compared

Old Version 4

changes.mady.by.user user-5e993

Saved on

compared with

New Version Current

changes.mady.by.user user-8b192

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Occasionally vendors and reporters have difficulty arriving at a mutually acceptable response to the existence of a vulnerability.

Disputes can arise for many reasons, including the following:

  • whether Whether the behavior described in the report is reproducible
  • whether Whether the behavior described in the report has security implications
  • the The impact of the vulnerability to deployed systems
  • whether Whether to publicly disclose the vulnerability
  • how How much detail to include in a public disclosure
  • the The timing of public disclosure
  • whether Whether extensions should be made to deadlines set by one party or another, whether or not they have been mutually agreed to previously

...

In situations where a vulnerability has the potential for major impact to critical infrastructure, it may be necessary to coordinate not only with vendors to fix the vulnerable products, but also with major deployers. The primary concern in these cases is to ensure that internet and other critical infrastructure remains available so that deployers and other network defenders can acquire and deploy the necessary information and patches.

Luckily this scenario is rare, but we have seen it come up in cases affecting internet routing, the Domain Name System (DNS), internet protocols, and the like. Vulnerabilities that affect basic Internet services such as DNS (which also serves as an example of a horizontal supply chain) affect a massive number of vendors; a coordinator can help contact and disseminate information to vendors, service providers, and other critical organizations for quick remediation.


Panel
borderStylesolid

< 3.4. Deployer | 3.6. Other Roles and Variations >

References

  1. CERT Division, "CSIRT Frequently Asked Questions (FAQ)," Software Engineering Institute, [Online]. Available: https://www.cert.org/incident-management/csirt-development/csirt-faq.cfm? [Accessed 16 May 2017].
  2. CERT Division, "Incident Management: Resources for National CSIRTs," Software Engineering Institute, [Online]. Available: https://www.cert.org/incident-management/national-csirts/index.cfm. [Accessed 16 May 2017].
  3. CERT, "List of National CSIRTs," [Online]. Available: https://www.cert.org/incident-management/national-csirts/national-csirts.cfm. [Accessed 23 May 2017].
  4. BugCrowd, "BugCrowd," [Online]. Available: https://bugcrowd.com/. [Accessed 23 May 2017].
  5. FIRST, "FIRST Teams," [Online]. Available: https://www.first.org/members/teams. [Accessed 16 May 2017].
  6. BugCrowd, "BugCrowd," [Online]. Available: https://bugcrowd.com/. [Accessed 23 May 2017].
  7. HackerOne, "HackerOne," [Online]. Available: https://www.hackerone.com. [Accessed 23 May 2017].
  8. SynAck, "SynAck," [Online]. Available: https://www.synack.com. [Accessed 23 May 2017].
  9. Cobalt Labs Inc., "Cobalt," [Online]. Available: https://cobalt.io/. [Accessed 23 May 2017].
  10. CERT, "Vulnerability Analysis," [Online]. Available: https://www.cert.org/vulnerability-analysis/. [Accessed 23 May 2017].
  11. National Cyber Security Centre Netherlands, "NCSC-NL," [Online]. Available: https://www.ncsc.nl/english. [Accessed 23 May 2017].
  12. NCSC-FI, "Finnish Communications Regulatory Authority / National Cyber Security Centre Finland," [Online]. Available: https://www.viestintavirasto.fi/en/cybersecurity.html.
  13. JPCERT/CC, "Japan Computer Emergency Response Team Coordination Center," [Online]. Available: https://www.jpcert.or.jp/english/. [Accessed 16 May 2017].
  14. U.S. Department of Homeland Security, "Information Sharing and Analysis Organizations (ISAOs)," [Online]. Available: https://www.dhs.gov/isao. [Accessed 23 May 2017].
  15. National Council of ISACs, "National Council of ISACs," [Online]. Available: https://www.nationalisacs.org/. [Accessed 23 May 2017].