The CERT Guide to Coordinated Vulnerability Disclosure

Householder, Allen D.; Wassermann, Garret; Manion, Art; King, Chris

The CERT Guide to Coordinated Vulnerability Disclosure

Active / Technical Report | Accession Number: AD1046659 |

Open PDF

Abstract:

Security vulnerabilities remain a problem for vendors and deployers of software-based systems alike. Vendors play a key role by providing fixes for vulnerabilities, but they have no monopoly on the ability to discover vulnerabilities in their products and services. Knowledge of those vulnerabilities can increase adversarial advantage if deployers are left without recourse to remediate the risks they pose. Coordinated Vulnerability Disclosure CVD is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public. The CERT Coordination Center has been coordinating the disclosure of software vulnerabilities since its inception in 1988. This document is intended to serve as a guide to those who want to initiate, develop, or improve their own CVD capability. In it, the reader will find an overview of key principles underlying the CVD process, a survey of CVD stakeholders and their roles, and a description of CVD process phases, as well as advice concerning operational considerations and problems that may arise in the provision of CVD and related services.

Author(s):

Householder, Allen D. ; Wassermann, Garret ; Manion, Art ; King, Chris

Author Organization(s):

CARNEGIE-MELLON UNIV PITTSBURGH PA PITTSBURGH United States

Descriptive Note:

Technical Report

Pagination:

0121

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release;

RECORD

Collection: TR

Identifying Numbers

Report Number(s):

CMU/SEI-2017-SR-022

Contract/Grant Number(s):

FA8702-15-D-0002

Subject Terms

Joint Capability Areas:

JCA_5_Command and Control; JCA_5.3_Planning; JCA_5.3.2_Apply Situational Understanding; JCA_8_Building Partnerships; JCA_8.2_Shape; JCA_8.2.4_Leverage Capacities and Capabilities of Security Establishments; JCA_6_Net Centric; JCA_4.6_Engineering; JCA_5.2_Understand; JCA_5.2.3_Share Knowledge and Situational Awareness; JCA_6.4.1_Secure Information Exchange; JCA_7_Protection; JCA_1_Force Support; JCA_7.2.1_Mitigate Lethal Effects; JCA_7.2_Mitigate; JCA_1.2_Force Preparation; JCA_5.5_Direct; JCA_5.3.1_Analyze Problem; JCA_5.5.1_Communicate Intent and Guidance; JCA_6.1.3_Switching and Routing; JCA_6.1.2_Wireless Transmission

Modernization Areas:

Cyber

Communities of Interest:

Cyber

Descriptor(s):

COMPUTER SECURITY, vulnerability, software engineering, Malware, heuristic methods

Field(s)/Group(s):

Computer Systems Management and Standards, Computer Programming and Software

Keyword(s):

software vulnerabilities, cvd (Coordinated Vulnerability Disclosure), vr (Vulnerability Response), vm (Vulnerability Management), vulnerability response process, vulnerability report, CERT CC, CSIRT (Computer Security Incident Response Team), PSIRT (Product Security Incident Response Team), software security

Report Date:

2017 Aug 11

Creation Date:

2017 Aug 11