Case and Bug Tracking

Case tracking systems such as bug trackers or trouble ticket systems are often used by vendors, coordinators, and reporters for tracking vulnerability reports. Such systems can centralize the vulnerability response process and provide the ability to track individual cases. Case tracking systems also provide a means of collecting data about recurring security issues and the performance of the response process itself.

Vulnerability Reports vs. Bug Reports

We have found it important to distinguish that vulnerability reports are not always bug reports. A single vulnerability report might contain information on more than one bug; alternately, it may describe a configuration issue that would not typically be considered a bug in the first place. In general, vulnerability reports and bug reports should be thought of as having a many-to-many relationship, allowing one or more vulnerability reports to be linked to one or more bug reports.

That said, bug tracking systems can still be useful for vulnerability report tracking if this distinction is kept in mind, and the bug tracking system has the appropriate capabilities.

MPCVD and Case Tracking

At the CERT/CC, we've found that more complicated CVD cases—for example the multiparty cases described in MPCVD—become more like projects than tickets. In the context of MPCVD, multiple organizations may be involved in the response process, and each organization may have its own case tracking system.

We have been working on the development of a protocol for sharing case information across organizations, which we hope will help to address some of these challenges. The Vultron Protocol is a work in progress that aims to provide interoperability across organizations' CVD processes.

CVD Platforms and Turnkey Services

CVD Platform Providers

Some popular CVD platform providers include:

• BugCrowd
• HackerOne
• SynAck
• Cobalt

A number of third-party CVD platforms now exist to facilitate communication between vendors and reporters. Although they are often referred to as bug bounty platforms, the bounty aspect is in fact optional—vendors can use CVD platforms to receive reports without needing to compensate reporters unless they choose to do so.

CVD platforms provide a secure communications channel (HTTPS) for reporters to communicate with vendors. These platforms generally allow two-way communications, making it easy for ongoing discussion between vendor and reporter. This channel is usually hosted by a third party in a software-as-a-service model, which may be important to some organizations that are not able to maintain their own infrastructure due to resource constraints. Of course, having vulnerability information hosted on third-party infrastructure may also present a data privacy risk to some organizations, so it is important to consult internal policies before determining if a CVD platform fits your organization's needs and requirements.

DoD's Vulnerability Disclosure Program

The U.S. Department of Defense (DoD) has a Vulnerability Disclosure Program (VDP) that uses a CVD platform to receive reports from security researchers. The DoD VDP is a public program that allows security researchers to report vulnerabilities in DoD websites and systems. The DoD VDP is a good example of a CVD platform that is used to facilitate communication between reporters and vendors, even without an explicit bug bounty program. Reporters to the DoD VDP are not compensated monetarily for their reports, but they are able to gain recognition and reputation points within the CVD platform that can lead to future opportunities for paid work.

CVD Platforms and Account Creation

An important note regarding these platforms is that the CVD platform by its nature requires a login. As explained previoiusly, requiring an account may discourage some reporters or other organizations from joining the platform, locking them out of discussion. Organizations should consider whether the benefits of using a CVD service outweigh this concern.