An Overview of the Coordination Process
Coordination Directly with the Vendor
When working directly with the vendor, generally the coordination process proceeds as follows (note: this list is somewhat idealized):
- Security researcher reports a vulnerability to a vendor directly
- Vendor analyzes the report, attempting to verify correctness of information
- If report is accepted by vendor, the vendor forms a plan of action for how to address the vulnerability and in what time frame
- Toward the end of the time frame, security advisories are drafted and a CVE ID is assigned
- reporter and vendor may request a CVE ID from MITRE
- The patch for the vulnerability is released privately to affected vendors first
- On an agreed-upon date, public security advisories are published detailing the issue, and how to obtain the patch or mitigate the issue
- typically, the vendor will release an advisory simultaneously with the reporter publishing an advisory on a security mailing list such as Bugtraq or Full Disclosure, or possibly even a personal blog.
Should a vendor become unresponsive, some reporters will proceed to publishing a security advisory after giving notice to the vendor. Alternatively, you may contact the CERT/CC for assistance in reaching the vendor.
The CERT/CC is here to help with scenarios that go "off the rails". This can include many different reasons, such as:
- Reporter is new to coordination and disclosure and would like some guidance on reporting and disclosing vulnerabilities
- Vendor is new to coordination and disclosure; the vendor may be unreachable by the reporter, or the vendor may request guidance on handling the report and establishing operations for future reports
In these cases you can contact the CERT/CC for assistance.
Coordinating via CERT/CC
When working with the CERT/CC, the process is typically very similar but with a few extra steps:
- Security researcher reports a vulnerability to the CERT/CC and requests coordination assistance
- CERT/CC analyzes the report, attempting to verify correctness of information, and deciding if will accept or decline to provide assistance
- If the report is accepted by the CERT/CC, then the CERT/CC will attempt to contact the vendor and report the vulnerability
- CERT/CC begins planning on public disclosure after 45 days from initial date of attempted contact, or another date negotiated with the reporter
- If the vendor replies, CERT/CC will work with the vendor to develop and test patches if necessary, as well as help notify any downstream vendors affected
- If the vendor does not reply, CERT/CC will attempt to alert downstream vendors prior to the disclosure date and then publish the Vulnerability Note after sending a reminder notice to the vendor
- If possible, CERT/CC and the vendor will provide the patch for the vulnerability to downstream vendors privately before public disclosure
- Prior to the publication date, a CVE ID is assigned by CERT/CC if requested (otherwise, MITRE may assign)
- On the agreed-upon publication date, public security advisories are published, detailing the issue and how to obtain the patch or mitigate the issues. CERT/CC may publish a Vulnerability Note, and typically the vendor and/or the reporter will also publish their own advisories.
Please note that when a vulnerability is reported to the CERT/CC, we will begin to manage the process and timeline. We will take reporter's comments into our decision process, but by submitting a report, the reporter agrees that CERT/CC has final decision authority over any coordination and publishing on the CERT.ORG website. As the vulnerability reporter, you are the owner of the vulnerability information and are free to disclose it on your own at any time, if you wish.