Coordinator

Complicated or complex CVD cases can often benefit from the help of a coordinator. A coordinator acts as a relay or information broker between other stakeholders. Several types of coordinators with slightly different roles and domains exist. We list a few here.

Computer Security Incident Response Team (CSIRT)

A Computer Security Incident Response Team (CSIRT) is a service organization that is responsible for receiving, reviewing, and responding to computer security incident reports and activity. Their services are usually performed for a defined constituency that could be a parent entity such as a corporate, governmental, or educational organization; a region or country; a research network; or a paid client. A CSIRT can be a formalized team or an ad-hoc team. A formalized team performs incident response work as its major job function. An ad-hoc team is called together during an ongoing computer security incident or to respond to an incident when the need arises.

CSIRT Resources

The Forum of Incident Response and Security Teams (FIRST) created the CSIRT Services Framework. It covers the services that a CSIRT might provide, organized into five service areas: Information Security Event Management, Information Security Incident Management, Vulnerability Management, Situational Awareness, and Knowledge Transfer.

Additionally, the CERT Division of the Software Engineering Institute at Carnegie Mellon University has created a collection of CSIRT Resources.

CSIRT with National Responsibility

National CSIRTs

Just a few examples of National CSIRTs include:

• CISA
• National Cyber Security Centre
• JPCERT/CC
• NCSC-NL

CSIRTs with National Responsibility, also known as, National CSIRTs, are designated by a country or economy to have specific responsibilities in cyber protection for the country or economy. A National CSIRT can be inside or outside of government, but must be specifically recognized by the government as having responsibility in the country or economy. In addition to functioning as a clearing house for incident response across government departments and agencies, CSIRTs with National Responsibility often have some degree of responsibility or oversight for coordinating vulnerability response across their nation's critical infrastructure.

National CSIRT Resources

The CERT Division has compiled a collection of National CSIRT Resources.

Product Security Incident Response Team (PSIRT)

PSIRT Examples

• Microsoft Security Response Center (MSRC)
• Cisco PSIRT
• Intel Product Security
• Apple Product Security

Many vendor PSIRTs are active in the Forum of Incident Response and Security Teams (FIRST).

Product Security Incident Response Teams (PSIRTs) have emerged as a specialized form of CSIRT, allowing vendors to focus their response to product security issues. Although not all vendors have dedicated PSIRTs, vulnerability response is sufficiently different from security incident response that larger vendor organizations can usually justify having a distinct function to deal with it. PSIRTs usually provide an interface to the outside world to receive vulnerability reports as well as serving as a central coordinator between internal departments for the organization's vulnerability response for its products. When reporting a vulnerability to a vendor, the reporter will usually be communicating with the vendor's PSIRT.

FIRST PSIRT Services Framework

---
title: PSIRT Services Framework
---

flowchart TD
    subgraph sa[Service Areas]
    direction TB
    sa1[Stakeholder<br/>Ecosystem<br/>Management]
    sa2[Vulnerability<br/>Discovery]
    sa3[Vulnerability<br/>Triage]
    sa4[Vulnerability<br/>Remediation]
    sa5[Vulnerability<br/>Disclosure]
    sa6[Training &<br/>Education]
    end
    of[Organizational<br/>Foundations]
    of ~~~ sa
    sa1 ~~~ sa2
    sa2 ~~~ sa3
    sa6 ~~~ sa4
    sa4 ~~~ sa5

FIRST has published a PSIRT Services Framework that provides a comprehensive guide to the services that a PSIRT can provide. It is organized into Service Areas, Services, Functions, and Sub-Functions. The diagram at right shows the top-level Service Areas.

Security Research Organizations

Security Research Organizations

Some examples of organizations that might coordinate vulnerabilities they find include

• managed security service providers
• government agencies
• academic research teams

Additionally, vendors of products or services sometimes combine their PSIRT’s vulnerability response capability with their externally facing coordination capability.

Organizations that perform security research on other vendors’ products in the course of their own business sometimes establish their own coordination capability in order to handle the disclosure process for the vulnerabilities they find. A wide variety of organizations perform this kind of security research, whether for profit or for non-commercial reasons.

Furthermore, organizations that provide vulnerability management and scanning tools and services are often well-positioned to act as a disclosure coordinator for the vulnerabilities their products detect. This applies especially when those vulnerabilities have not already been disclosed to either the vendor or the public. Alternatively, organizations such as these may choose to partner with another coordinating organization in order to promote transparency and reduce the perception of bias in their vulnerability disclosure process.

Bug Bounty Programs

Many individual vendors have established bug bounty programs to compensate security researchers for their efforts in discovering vulnerabilities in the vendor’s products. Creation of a bug bounty program has been noted as an indicator of maturity in vendors’ vulnerability response efforts.

Bug Bounty Programs and Vulnerability Coordination

Bug bounty programs by themselves are not the same as a vulnerability coordination capability. Bug bounty programs are a way to incentivize security researchers to report vulnerabilities to the vendor. Importantly, they do not inherently create the internal plumbing necessary to respond to those vulnerabilities. In some cases, vendor bug bounty programs are enabled by other companies that provide tools and services to facilitate vulnerability coordination.

Vulnerability Disclosure Platforms and Commercial Brokers

Commercial Vulnerability Disclosure Platforms

• BugCrowd
• HackerOne
• SynAck
• Cobalt Labs Inc.

Not all vulnerability reporting programs include bug bounties. In recent years, a new class of coordinator has emerged in the form of commercial vulnerability disclosure platform providers.

Companies such as those at right offer turnkey solutions for vendors who want to bootstrap their own vulnerability response program.

Information Sharing and Analysis Organizations (ISAOs) and Centers (ISACs)

ISACs

The National Council of ISACs lists over two dozen ISACs in the United States, each focused on a different sector of critical infrastructure.

Information Sharing and Analysis Organizations (ISAOs) and Information Sharing and Analysis Centers (ISACs) are non-government entities that serve various roles in gathering, analyzing, and disseminating critical infrastructure cybersecurity information across private sector organizations of various sizes and capabilities. These organizations are increasingly involved in the coordination and deployment of vulnerability mitigations. Furthermore, we have observed a growing interest from critical infrastructure sectors engaging with the coordination of the vulnerability discovery, disclosure, and remediation processes.

Traditional Coordinators

Third-Party Coordinators

• CERT/CC
• JPCERT/CC
• NCSC-NL
• NCSC-FI

While most CVD programs help address the CVD needs of individual vendors, there still are vulnerabilities that require larger scale coordination. In particular, Multi-Party Coordinated Vulnerability Disclosure (MPCVD) remains a challenge for many organizations. As individual vendors have become more mature in their handling of vulnerabilities in their products, the role of MPCVD has increased in importance for more traditional vulnerability coordinators.