Skip to content

Understanding CVD

While we provide more practical guidance in the How To section, this section provides a more abstract understanding of Coordinated Vulnerability Disclosure (CVD). This section is intended for those who want to understand the principles, roles, and phases of CVD.

---
title: CVD Overview
---
flowchart LR
Principles -->|guide| Roles
Roles -->|perform| Phases
Principles -->|support| Phases

Principles of Coordinated Vulnerability Disclosure

Over the years, the CERT/CC has identified a number of principles that guide our efforts in coordinating vulnerability disclosures and which seem to be present in many successful CVD programs. These principles include the following:

  • Reduce Harm

    At its core, harm reduction with respect to vulnerable software is about balancing the ability for system defenders to take action while avoiding an increase in attacker advantage.

  • Presume Benevolence

    In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability.

  • Avoid Surprise

    As with most situations in which multiple parties are engaged in a potentially stressful and contentious negotiation, surprise tends to increase the risk of a negative outcome.

  • Incentivize Desired Behavior

    Not everyone shares the same values, concerns, perspectives, or even ethical foundations, so it's not reasonable to expect everyone to play by your rules. Keeping that in mind, we've found that it's usually better to reward good behavior than try to punish bad behavior.

  • Ethical Considerations

    Various computing-related professional societies have established their own codes of ethics. Each of these has some application to CVD.

  • Process Improvement

    In reviewing their experience in the CVD process, participants should capture ideas that worked well and note failures. This feedback can be used to improve both the Software Development Lifecycle and the CVD process itself.

  • CVD is a Wicked Problem

    The term wicked problem is used to describe a problem that is difficult or impossible to solve because of incomplete, contradictory, and changing requirements that are often difficult to recognize.

Roles in Coordinated Vulnerability Disclosure

Certain roles are critical to the Coordinated Vulnerability Disclosure process, as described in the following sections:

  • Finder (Discoverer) -- the individual or organization that identifies the vulnerability
  • Reporter -- the individual or organization that notifies the vendor of the vulnerability
  • Vendor -- the individual or organization that created or maintains the product that is vulnerable
  • Deployer -- the individual or organization that must deploy a patch or take other remediation action
  • Coordinator -- an individual or organization that facilitates the coordinated response process
  • Other Roles -- other roles that may be involved in the CVD process

Participants Can Play Multiple Roles

It is possible and often the case that individuals and organizations play multiple roles. For example, a cloud service provider might act as both vendor and deployer, while a researcher might act as both finder and reporter. A vendor may also be both a deployer and a coordinator. In fact, the CERT/CC has played all five roles over time, although not usually simultaneously.

Relationships Between Roles

Although a more detailed description of the CVD process is provided in Phases of CVD, a simple sketch of the relationships between these roles is shown in the figure below.

---
title: Coordination Relationships in CVD
---
flowchart TB
    subgraph C[Coordination]
        direction LR
        subgraph A[Often<br/>Same<br/>Entity]
            reporter([Reporter])
            finder([Finder])
        end
        vendor([Vendor])
        subgraph D[Sometimes<br/>Included]
            coordinator([Coordinator])
            deployer([Deployer])
        end
    end
    public([Public])

    finder <--> reporter
    reporter <--> vendor
    vendor <-.-> coordinator
    reporter <-.-> coordinator
    vendor <-.-> deployer
    coordinator <-.-> deployer
    reporter <-.-> deployer
    C -->|publish| public

Phases of Coordinated Vulnerability Disclosure

Below, we adapt a version of the ISO/IEC 30111:2019 Information technology—Security techniques—Vulnerability handling processes with more phases to better describe what we have seen at the CERT/CC

  • Discovery

    A researcher (not necessarily an academic one) discovers a vulnerability by using one of numerous tools and processes.

  • Reporting

    A researcher submits a vulnerability report to a software or product vendor, or a third-party coordinator if necessary.

  • Validation and Prioritization

    The analyst validates the report to ensure accuracy before action can be taken and prioritizes reports relative to others.

  • Remediation

    A remediation plan (ideally a software patch, but could also be other mechanisms) is developed and tested.

  • Public Awareness

    The vulnerability and its remediation plan is disclosed to the public.

  • Deployment

    The remediation is applied to deployed systems.

Vulnerability Handling Process Models

There have been a number of proposed models of the CVD process that have slightly varying phases. Some of the most notable include:

Who Does What?

Extending the diagram from the Roles in CVD page, we can see how the roles interact in the CVD process.

---
title: CVD Role Relationships
---
flowchart TB
    subgraph C[Coordination]
        direction LR
    subgraph A[Often Same Entity]
        Reporter([Reporter])
        Finder([Finder])
    end
    Vendor([Vendor])
    subgraph B[Sometimes Included]
        Coordinator([Coordinator])
        Deployer([Deployer])
    end

    end

    Finder -->|shares vul<br/>info with| Reporter
    Reporter -->|reports<br/>vul to| Vendor
    Reporter -.->|provides vul<br/>info to| Deployer
    Reporter -.->|reports<br/>vul to| Coordinator

    Vendor -->|coordinates<br/>with| Reporter
    Vendor -.->|coordinates<br/>with| Coordinator
    Vendor -->|provides vul info<br/>and/or patch to| Deployer

    Coordinator -.->|coordinates<br/>with| Vendor
    Coordinator -.->|coordinates<br/>with| Reporter
    Coordinator -.->|provides vul<br/>info to| Deployer

    Deployer -->|provides</br>feedback to| Vendor

    C -->|publish| Public([Public])

A mapping of CVD phases to CVD roles is provided in the following table.

Role →
Phases ↓		 Finder Reporter Vendor Coordinator Deployer
Discovery Finds Vulnerabilities - - - -
Reporting Prepares report Reports vuls to vendor(s) and/or coordinator(s) Receives reports Receives reports -
Validation - - Validates reports received Validates reports received -
Prioritization - - Prioritizes reports for response Prioritizes reports for response Prioritizes fixes for deployment
Remediation - Confirms fix Prepares patches, develops advice, workarounds Coordinates multiparty response, develops advice, workarounds -
Public Awareness Publishes advisory Publishes advisory Publishes advisory Publishes advisory Receives advisory
Deployment - - - - Deploys fix or mitigation