08/15/2017

CERT Guide to Coordinated Vulnerability Disclosure Released

Pittsburgh, Pa., August 15, 2017—The CERT Division of the Software Engineering Institute at Carnegie Mellon University today released a special report titled The CERT Guide to Coordinated Vulnerability Disclosure. The report is available as a free download from the CERT Division website.

By now everyone knows that software and software-based products have vulnerabilities. Left un-addressed, those vulnerabilities expose systems and users to risk. For vulnerable systems to be fixed, those vulnerabilities must first be found, and then the vulnerable code must be patched, and patches must be distributed and deployed.

Coordinated vulnerability disclosure (CVD) is a process intended to ensure that these steps occur in a way that minimizes the harm posed by vulnerable products. The Guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into how CVD can go awry and how to respond when it does so.

“To put it simply,” said Allen Householder, senior vulnerability analyst at the CERT Coordination Center, “CVD can be thought of as a process that begins with someone finding a vulnerability, then repeatedly asking ‘what should I do with this information?’ and ‘who else should I tell?’ until the answers are ‘nothing,' and ‘no one.’ But different parties have different perspectives and opinions on how those questions should be answered. These differences are what led us to write this guide.”

CVD reduces an adversary’s advantage while an information security vulnerability is being mitigated and is a process, not an event.

“Mobile devices already outnumber traditional computers, and the Internet of Things (IoT) stands to dwarf mobile computing in terms of the sheer number of devices within the next few years,” said Householder. “As vulnerability discovery tools and techniques evolve to meet this new reality, so must tools and processes for coordination and disclosure. Assumptions built into many vulnerability handling processes about disclosure timing, coordination channels, development cycles, scanning, patching, and so forth must to be reevaluated in the light of hardware-based systems that are likely to dominate the future Internet.”

To download The CERT Guide to Coordinated Vulnerability Disclosure, visit http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=503330.

About the Carnegie Mellon University Software Engineering Institute
The Software Engineering Institute (SEI) is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University. The SEI works with organizations to make measurable improvements in their software engineering capabilities by providing technical leadership to advance the practice of software engineering. For more infor-mation, visit the SEI website at http://www.sei.cmu.edu. The CERT Cybersecurity Division of the SEI is the world’s leading trusted authority dedicated to improving the security and resilience of computer systems and networks and a national asset in the field of cybersecurity. For more information, visit http://www.cert.org.