Principles of Coordinated Vulnerability Disclosure
Over the years, the CERT/CC has identified a number of principles that guide our efforts in coordinating vulnerability disclosures and which seem to be present in many successful CVD programs. These principles include the following:
-
At its core, harm reduction with respect to vulnerable software is about balancing the ability for system defenders to take action while avoiding an increase in attacker advantage.
-
In terms of the CVD process, we have found that it is usually best to assume that any individual who has taken the time and effort to reach out to a vendor or a coordinator to report an issue is likely benevolent and sincerely wishes to reduce the risk posed by the vulnerability.
-
As with most situations in which multiple parties are engaged in a potentially stressful and contentious negotiation, surprise tends to increase the risk of a negative outcome.
-
Not everyone shares the same values, concerns, perspectives, or even ethical foundations, so it's not reasonable to expect everyone to play by your rules. Keeping that in mind, we've found that it's usually better to reward good behavior than try to punish bad behavior.
-
Various computing-related professional societies have established their own codes of ethics. Each of these has some application to CVD.
-
In reviewing their experience in the CVD process, participants should capture ideas that worked well and note failures. This feedback can be used to improve both the Software Development Lifecycle and the CVD process itself.
-
The term wicked problem is used to describe a problem that is difficult or impossible to solve because of incomplete, contradictory, and changing requirements that are often difficult to recognize.