How to Coordinate Vulnerability Disclosures
This section provides guidance for folks who are actively engaged in Coordinated Vulnerability Disclosure (CVD) and are looking for advice on how to handle specific situations. We have organized it roughly in the order that you might encounter these problems, although we're not strictly adhering to the Phases we've outlined in the Understanding CVD section.
How to Use This Section
Each page is intended to be a standalone resource, allowing you to directly access the advice you need. This means that some of the advice may be repeated across pages, but we try to cross-reference where possible.
The navigation on the left side of the page is organized by topic, consistent with the structure of this page. Where necessary, navigation within each page is also provided in the right-hand column. You can use the navigation buttons at the bottom of the page to move through the advice in sequence.
CVD Recipe Cards
Like a recipe card, each item includes an ingredients list that describes
- the roles affected
- the phases in which the problem is likely to arise
- the problem itself
In this edition of the Guide, we have organized our problem solving advice into a set of recipe cards.
The recipe portion of each card provides a set of instructions for resolving the problem. These aren't necessarily step-by-step instructions, but rather a set of guidelines to help you navigate the problem.
Preparation for Coordinating Vulnerability Disclosure
Whether you're a security researcher, a vendor, or a coordinator, there are a few things you can do to prepare for a CVD process. This section provides some general advice on how to get ready for a CVD process, and how to make sure you're in a good position to handle any issues that might arise.
-
There are several options for how to disclose a vulnerability. Each of these disclosure options have advantages and disadvantages.
-
The public and especially users of vulnerable products deserve to be informed about issues with those products and how the vendor handles those issues. At the same time, disclosing such information without review and mitigation only opens the public up to exploitation. The ideal scenario occurs when everyone coordinates and cooperates to protect the public.
-
Looking for vulnerabilities in software and hardware is a critical part of the security ecosystem. However, it is important to do so in a way that minimizes the potential for harm to others.
-
A well-defined policy makes it clear what other participants in the CVD process can expect when they engage with you and establishes good relationships between finders, reporters, vendors, coordinators, and other stakeholders." end="
-
The complexity of coordination problems increases rapidly as more parties are involved in the coordination effort. As a result, multiparty coordination using point-to-point communications do not scale well.
Initiating a Coordinated Vulnerability Disclosure Case
Sometimes, the hardest part of CVD is getting started. You might know about a vulnerability, but not know how to reach the vendor. Or you might be having trouble getting the vendor to respond. This section provides some advice on how to get the ball rolling.
-
Reporting a vulnerability requires that the vulnerability is well-documented. This typically means providing high-quality and actionable information to the vendor or coordinator.
-
Making initial contact with a vendor can sometimes be more difficult than it should be.
-
Sometimes, even when you can find contact informaiont for the vendor, not all vendors have established processes for receiving vulnerability reports.
-
As a vendor, it is important to not treat reporters with suspicion or hostility. It's likely they have important information about your product, and they want to share it with you.
Coordinating Vulnerability Disclosure
Participating in a CVD process can be challenging. This section provides some advice on how to handle common issues that might arise during the coordination process.
-
Reasons to Engage a Coordinator
Reporter experience, capacity, and the number or nature of vendors involved can all play a role in determining whether a coordinator is needed. In addition, disputes between reporters and vendors, or the potential for major infrastructure impacts, can also necessitate the involvement of a coordinator.
-
Not all reports are actionable. Some reports may under-specify the problem, making it difficult or impossible to reproduce. Some may contain irrelevant details. Some will be well written and concise, but many will not. Some reports could describe problems that are already known or for which a fix is already in the pipeline.
-
Even for the reports a vendor accepts as valid (in scope, credible, and valid), it is likely that the development team does not have time to address every report at the moment it arrives. Thus, if a report is found to be valid, the next question is how to allocate resources to the report.
-
Many products today are not developed by a single organization. Instead, they are assembled from components sourced from other organizations. Vulnerabilities in these components can have far-reaching impacts and require coordination among multiple parties to resolve.
-
Response Pacing and Synchronization
Problems can arise when the multiple parties involved in CVD function at different operational tempos. Different organizations have different priorities and development schedules, which can lead to some parties wanting to move faster than others.
-
Sometimes one of the parties involved in a CVD effort will stop responding. Often, this is simply a reflection of priorities and attention shifting elsewhere rather than intentional behavior. It's usually best to give the benefit of the doubt and keep trying to reestablish contact if one of the CVD participants goes unresponsive.
Embargoes in Coordinated Vulnerability Disclosure
Embargoes are a common tool in the CVD process, but they can be tricky to manage. This section provides some advice on how to handle embargoes effectively, even when things don't go as planned.
-
Maintaining Pre-Disclosure Secrecy
The more parties involved in a case, and the longer the embargo period lasts, the more likely a leak becomes.
-
Complicated vulnerabilities usually take longer to fix. Larger cases involving more parties, more products, or more complex supply chains also tend to take longer to resolve, even if the vulnerabilities themselves are relatively simple.
-
If one person can find a vulnerability, somebody else can, too. When multiple parties independently discover the same vulnerability, it can complicate the CVD process.
-
Intentional or Accidental Leaks
You might find information you thought was shared in confidence showing up in some non-confidential location. It might be a simple misunderstanding, mismatched expectations, or in rare cases, a malicious act.
-
If evidence comes to light that a vulnerability is being exploited in the wild, that is usually a strong indication to accelerate the disclosure timeline.
Complications in Coordinated Vulnerability Disclosure
Other complications can arise during the CVD process. This section provides some advice on how to handle these issues effectively. A summary of the advice in this section, along with a number of other scenarios can be found in Troubleshooting CVD.
-
Relationships that Go Sideways
When relationships go sideways in a CVD process, it can be a real problem. The process can stall, or worse, the vulnerability can be disclosed in a way that is harmful to users.
-
Hype, Marketing, and Unwanted Attention
Is a branded vulnerability more dangerous than one without? Not in any technical sense, no. Instead, what it does is draw additional attention—which can lead to vendors being forced to adjust the priority of the vulnerability cases they're working on and allocate resources toward addressing whatever vulnerability is getting the hype.
-
Troubleshooting Coordinated Vulnerability Disclosure
We have compiled a list of common problems that can arise during the Coordinated Vulnerability Disclosure (CVD) process. Each problem identified is accompanied by a description intended to help the reader diagnose the problem.
-
What To Do When Things Go Wrong
While we can't tell you what to do in every possible combination of contingencies that may arise in the CVD process, we can suggest a few guidelines to help you navigate the complexity.
Ongoing Coordination Operations
Participating in a CVD process over time requires a set of tools and practices in order to be successful. In this section, we outline a few tools of the trade, and consider common operational security and personnel management issues.
Process Improvement is Key Principle of CVD
See also Process Improvement for more about how to improve your CVD process over time.