Coordination is the process by which multiple parties coordinate to share information regarding a vulnerability, with the goal of producing a patch which fixes the vulnerability. Usually, the patch is accompanied by a security advisory, which provides the public with information on the vulnerability and how to apply the patch. However, in some cases, the security advisory may be released before a patch is available. The CERT/CC's security advisories are known as Vulnerability Notes.
The CERT/CC coordinates vulnerabilities with vendors, as well as provides assistance to vulnerability reporters wishing to begin the coordination process for their own vulnerability.
We usually recommend that a reporter first try reporting the vulnerability directly to the vendor or maintainer of the software in question.
The vendor or maintainer of the software is often easy to contact and responsive to security concerns. Simply send your report to the vendor and ask what timeline for a fix is needed.
The following is a non-exhaustive list of resources that overview the coordination process, and might help a reporter find the appropriate contact at a company. The CERT/CC has not vetted any of these resources for accuracy or coverage, and only provides links for informational purposes.
The EFF provides some legal guidance on the vulnerability disclosure process: https://www.eff.org/issues/coders/vulnerability-reporting-faq
However, there are several reasons for not communicating directly with the vendor. In these cases, the CERT/CC is available for assistance.
If any of the following conditions are true, you might consider reaching out to the CERT/CC for assistance in coordinating or publishing your case:
For more information about working with the CERT/CC, you may wish to read the following resources that describe our typical process: