An Overview of the Coordination Process
Coordination Directly with the Vendor
When working directly with the vendor, generally the coordination process proceeds as follows:
- Security researcher reports a vulnerability to a vendor directly
- Vendor analyzes the report, attempting to verify correctness of information
- If report is accepted by vendor, the vendor forms a plan of action for how to address the vulnerability and in what time frame
- Toward the end of the time frame, security advisories are drafted and a CVE ID is assigned
- reporter and vendor may request a CVE ID from MITRE
- The patch for the vulnerability is released privately to affected vendors first
- On an agreed-upon date, public security advisories are published detailing the issue, and how to obtain the patch or mitigate the issue
- typically, the vendor will release an advisory simultaneously with the reporter publishing an advisory on a security mailing list such as Bugtraq or Full Disclosure, or possibly even a personal blog.
Should a vendor become unresponsive, some reporters will proceed to publishing a security advisory after giving notice to the vendor. Alternatively, you may contact CERT/CC for assistance in reaching the vendor.
Coordinating via CERT/CC
When working with the CERT/CC, the process is very similar but with a few extra steps:
- Security researcher reports a vulnerability to the CERT/CC and requests coordination assistance
- CERT/CC analyzes the report, attempting to verify correctness of information, and deciding if will accept or decline to provide assistance
- If the report is accepted by the CERT/CC, then the CERT/CC will attempt to contact the vendor and report the vulnerability
- CERT/CC begins planning on public disclosure after 45 days from initial date of attempted contact, or another date negotiated with the reporter
- If the vendor replies, CERT/CC will work with the vendor to develop and test patches if necessary
- If the vendor does not reply, CERT/CC will alert downstream vendors prior to the disclosure date and then publish the Vulnerability Note after sending a reminder notice to the vendor
- CERT/CC will also notify any downstream vendors affected by the product, and the expected date of publication
- If possible, CERT/CC and the vendor will provide the patch for the vulnerability to downstream vendors privately before public disclosure
- Prior to the publication date, a CVE ID is assigned by CERT/CC if requested by the vendor (otherwise, MITRE may assign)
- On the agreed-upon publication date, public security advisories are published, detailing the issue and how to obtain the patch or mitigate the issues. CERT/CC may publish a Vulnerability Note, and typically the vendor and/or the reporter will also publish their own advisories.
Please note that when a vulnerability is reported to the CERT/CC, we will begin to manage the process and timeline. We will take reporter's comments into our decision process, but by submitting a report, the reporter agrees that CERT/CC has final decision authority over any coordination and publishing on the CERT.ORG website. As the vulnerability reporter, you are the owner of the vulnerability information and are free to disclose it on your own at any time, if you wish.