Understanding CVD
While we provide more practical guidance in the How To section, this section provides a more abstract understanding of Coordinated Vulnerability Disclosure (CVD). This section is intended for those who want to understand the principles, roles, and phases of CVD.
---
title: CVD Overview
---
flowchart LR
Principles -->|guide| Roles
Roles -->|perform| Phases
Principles -->|support| Phases
Principles of Coordinated Vulnerability Disclosure
Over the years, the CERT/CC has identified a number of principles that guide our efforts in coordinating vulnerability disclosures and which seem to be present in many successful CVD programs. These principles include the following:
-
At its core, harm reduction with respect to vulnerable software is about balancing the ability for system defenders to take action while avoiding an increase in attacker advantage.
-
In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability.
-
As with most situations in which multiple parties are engaged in a potentially stressful and contentious negotiation, surprise tends to increase the risk of a negative outcome.
-
Not everyone shares the same values, concerns, perspectives, or even ethical foundations, so it's not reasonable to expect everyone to play by your rules. Keeping that in mind, we've found that it's usually better to reward good behavior than try to punish bad behavior.
-
Various computing-related professional societies have established their own codes of ethics. Each of these has some application to CVD.
-
In reviewing their experience in the CVD process, participants should capture ideas that worked well and note failures. This feedback can be used to improve both the Software Development Lifecycle and the CVD process itself.
-
The term wicked problem is used to describe a problem that is difficult or impossible to solve because of incomplete, contradictory, and changing requirements that are often difficult to recognize.
Roles in Coordinated Vulnerability Disclosure
Certain roles are critical to the Coordinated Vulnerability Disclosure process, as described in the following sections:
- Finder (Discoverer) -- the individual or organization that identifies the vulnerability
- Reporter -- the individual or organization that notifies the vendor of the vulnerability
- Vendor -- the individual or organization that created or maintains the product that is vulnerable
- Deployer -- the individual or organization that must deploy a patch or take other remediation action
- Coordinator -- an individual or organization that facilitates the coordinated response process
- Other Roles -- other roles that may be involved in the CVD process
Participants Can Play Multiple Roles
It is possible and often the case that individuals and organizations play multiple roles. For example, a cloud service provider might act as both vendor and deployer, while a researcher might act as both finder and reporter. A vendor may also be both a deployer and a coordinator. In fact, the CERT/CC has played all five roles over time, although not usually simultaneously.
Relationships Between Roles
Although a more detailed description of the CVD process is provided in Phases of CVD, a simple sketch of the relationships between these roles is shown in the figure below.
---
title: Coordination Relationships in CVD
---
flowchart TB
subgraph C[Coordination]
direction LR
subgraph A[Often<br/>Same<br/>Entity]
reporter([Reporter])
finder([Finder])
end
vendor([Vendor])
subgraph D[Sometimes<br/>Included]
coordinator([Coordinator])
deployer([Deployer])
end
end
public([Public])
finder <--> reporter
reporter <--> vendor
vendor <-.-> coordinator
reporter <-.-> coordinator
vendor <-.-> deployer
coordinator <-.-> deployer
reporter <-.-> deployer
C -->|publish| public
Phases of Coordinated Vulnerability Disclosure
Below, we adapt a version of the ISO/IEC 30111:2019 Information technology—Security techniques—Vulnerability handling processes with more phases to better describe what we have seen at the CERT/CC
-
A researcher (not necessarily an academic one) discovers a vulnerability by using one of numerous tools and processes.
-
A researcher submits a vulnerability report to a software or product vendor, or a third-party coordinator if necessary.
-
The analyst validates the report to ensure accuracy before action can be taken and prioritizes reports relative to others.
-
A remediation plan (ideally a software patch, but could also be other mechanisms) is developed and tested.
-
The vulnerability and its remediation plan is disclosed to the public.
-
The remediation is applied to deployed systems.
Vulnerability Handling Process Models
There have been a number of proposed models of the CVD process that have slightly varying phases. Some of the most notable include:
- 2002 Christey and Wysopal Responsible Vulnerability Disclosure Process
- 2004 National Infrastructure Advisory Council Vulnerability Disclosure Framweork
- 2018 ISO/IEC 29147:2018 Information technology -- Security techniques -- Vulnerability disclosure
- 2019 ISO/IEC 30111:2019 Information technology -- Security techniques -- Vulnerability handling processes
Who Does What?
Extending the diagram from the Roles in CVD page, we can see how the roles interact in the CVD process.
---
title: CVD Role Relationships
---
flowchart TB
subgraph C[Coordination]
direction LR
subgraph A[Often Same Entity]
Reporter([Reporter])
Finder([Finder])
end
Vendor([Vendor])
subgraph B[Sometimes Included]
Coordinator([Coordinator])
Deployer([Deployer])
end
end
Finder -->|shares vul<br/>info with| Reporter
Reporter -->|reports<br/>vul to| Vendor
Reporter -.->|provides vul<br/>info to| Deployer
Reporter -.->|reports<br/>vul to| Coordinator
Vendor -->|coordinates<br/>with| Reporter
Vendor -.->|coordinates<br/>with| Coordinator
Vendor -->|provides vul info<br/>and/or patch to| Deployer
Coordinator -.->|coordinates<br/>with| Vendor
Coordinator -.->|coordinates<br/>with| Reporter
Coordinator -.->|provides vul<br/>info to| Deployer
Deployer -->|provides</br>feedback to| Vendor
C -->|publish| Public([Public])
A mapping of CVD phases to CVD roles is provided in the following table.
Role → Phases ↓ |
Finder | Reporter | Vendor | Coordinator | Deployer |
---|---|---|---|---|---|
Discovery | Finds Vulnerabilities | - | - | - | - |
Reporting | Prepares report | Reports vuls to vendor(s) and/or coordinator(s) | Receives reports | Receives reports | - |
Validation | - | - | Validates reports received | Validates reports received | - |
Prioritization | - | - | Prioritizes reports for response | Prioritizes reports for response | Prioritizes fixes for deployment |
Remediation | - | Confirms fix | Prepares patches, develops advice, workarounds | Coordinates multiparty response, develops advice, workarounds | - |
Public Awareness | Publishes advisory | Publishes advisory | Publishes advisory | Publishes advisory | Receives advisory |
Deployment | - | - | - | - | Deploys fix or mitigation |