Reasons to Engage a Coordinator
There are a number of reasons that a finder, reporter, or vendor may wish to engage a third-party coordinator to assist with the CVD process.
Reporter experience, capacity, and the number or nature of vendors involved can all play a role in determining whether a coordinator is needed. In addition, disputes between reporters and vendors, or the potential for major infrastructure impacts, can also necessitate the involvement of a coordinator.
Reporter Inexperience
Novice reporters sometimes request assistance from coordinators to increase the chances of a successful resolution to the vulnerability they have found. Working with a coordinator for the first few cases can help develop a reporter's knowledge of the CVD process. From the coordinator's perspective, working with novice reporters serves to transfer knowledge of CVD to the security research community, thereby improving vulnerability response overall. We have found that novice reporters usually learn quickly and are willing to do most of the coordination effort themselves, but just need occasional advice on how the process should work.
Reporter Capacity
Seeing a CVD case through to resolution can at times be a protracted process. Not all reporters have the time or resources to follow up on vulnerabilities they've reported. In such situations, a coordinator can help by offloading some of the effort. However, coordinators are often limited in their capacity as well, and must accordingly prioritize the cases they choose to take on. As a result, coordinators and reporters alike should take care to set clear expectations with each other as to what roles they expect to play in any given coordination case.
Finder does not have the resources to shepherd a CVD case through to resolution
Role(s) affected: Finder
Phase(s): Discovery, Reporting, Validation and prioritization, Remediation, Public Awareness
Description:
- The vulnerability was found
- The finder / reporter is unable to devote the necessary resources (time, effort, etc.) to following it through to resolution
- Choosing to participate in Coordinated Vulnerability Disclosure can set into motion a protracted series of events which many finders and reporters may find exceeds their ability to sustain. The short answer is that you don't have to.
- Our experience is that many vendors are happy to receive reports even if the reporter disengages from the process immediately thereafter. The reporter's degree of involvement can therefore be self-regulating.
- We also remind our readers that Finders do not have to be reporters at all. We are unaware of any requirement for finders to report any vulnerabilities directly to the affected vendors.
- Finders that are genuinely indifferent to the effects of "dropping 0-day" always remain free to do so. (Although this likely impacts vendors' propensity to cooperate with them in the future.) Nonetheless going public with a vulnerability can be valid choice on the part of the finder. It's often informative if they also share their reason for doing so.
- For finders that want to be reporters but not manage the process, third party coordinators can sometimes offload some of the effort required.
Multiple Vendors Involved
At its most effective, CVD follows the supply chain affected by the vulnerability. As a mental model, it can be useful to think of the supply chain as horizontal or vertical. A horizontal supply chain implies that many vendors need to independently make changes to their products in order to fix a vulnerability. A vertical supply chain implies that one vendor might originate the fix, but many other vendors may need to update their products after the original fix is available. Software libraries tend to have vertical supply chains. Protocol implementations often have horizontal supply chains.
We discuss horizontal and vertical supply chains in Multiparty CVD.
A CVD case involves too many vendors or is otherwise excessively complex.
Role(s) affected: Reporter, Vendor
Phase(s): Reporting, Validation and prioritization, Remediation, Public Awareness
Description:
- Multiple vendors are likely to be affected by the vulnerability.
- The reporter or Vendor(s) already involved are concerned about their ability to notify and coordinate other Vendors' response to the vulnerability.
- Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc.
- Reporters and Vendors should consider shortening the embargo period for larger multiparty cases. The chance of embargo failure grows dramatically as more parties are added to the coordination.
- See Multiparty CVD, Response Pacing and Synchronization, and Maintaining Pre-Disclosure Secrecy
CVD Disputes
Occasionally vendors and reporters have difficulty arriving at a mutually acceptable response to the existence of a vulnerability.
Disputes can arise for many reasons, including the following:
- Whether the behavior described in the report is reproducible
- Whether the behavior described in the report has security implications
- The impact of the vulnerability to deployed systems
- Whether to publicly disclose the vulnerability
- How much detail to include in a public disclosure
- The timing of public disclosure
- Whether extensions should be made to deadlines set by one party or another, whether or not they have been mutually agreed to previously
In these situations, and many others, reporters and/or vendors may find it useful to engage the services of a third-party coordinator to assist with conflict resolution. Drawing on the experience and relative neutrality of a third-party coordinator can often dissipate some of the potential animosity that can arise in contentious cases.
A CVD case just isn't going well
Role(s) affected: Reporter, Vendor, Coordinator
Phase(s): Reporting, Validation and prioritization, Remediation, Public Awareness
Description:
- Cooperation has failed or is in the process of failing within the context of a particular CVD case.
- All parties in a failing CVD case should consider their actions in light of promoting continued cooperation.
- Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc.
- See Relationships that Go Sideways
Major Infrastructure Impacts
In situations where a vulnerability has the potential for major impact to critical infrastructure, it may be necessary to coordinate not only with vendors to fix the vulnerable products, but also with major deployers. The primary concern in these cases is to ensure that internet and other critical infrastructure remains available so that deployers and other network defenders can acquire and deploy the necessary information and patches.
Luckily this scenario is rare, but we have seen it come up in cases affecting internet routing, the Domain Name System (DNS), internet protocols, and the like. Vulnerabilities that affect basic Internet services such as DNS (which also serves as an example of a horizontal supply chain) affect a massive number of vendors; a coordinator can help contact and disseminate information to vendors, service providers, and other critical organizations for quick remediation or mitigation.
Reporting a Vulnerability to CERT/CC
You can request the CERT/CC's assistance in coordinating a vulnerability disclosure process by submitting a report through the CERT/CC's Vulnerability Reporting Form (VRF).