Preparation for Coordinating Vulnerability Disclosure
Whether you're a security researcher, a vendor, or a coordinator, there are a few things you can do to prepare for a CVD process. This section provides some general advice on how to get ready for a CVD process, and how to make sure you're in a good position to handle any issues that might arise.
-
There are several options for how to disclose a vulnerability. Each of these disclosure options have advantages and disadvantages.
-
The public and especially users of vulnerable products deserve to be informed about issues with those products and how the vendor handles those issues. At the same time, disclosing such information without review and mitigation only opens the public up to exploitation. The ideal scenario occurs when everyone coordinates and cooperates to protect the public.
-
Looking for vulnerabilities in software and hardware is a critical part of the security ecosystem. However, it is important to do so in a way that minimizes the potential for harm to others.
-
A well-defined policy makes it clear what other participants in the CVD process can expect when they engage with you and establishes good relationships between finders, reporters, vendors, coordinators, and other stakeholders." end="
-
The complexity of coordination problems increases rapidly as more parties are involved in the coordination effort. As a result, multiparty coordination using point-to-point communications do not scale well.