Coordinated vulnerability disclosure

Last updated

In computer security, coordinated vulnerability disclosure (CVD, sometimes known as responsible disclosure) [1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. [2] This coordination distinguishes the CVD model from the "full disclosure" model.

Contents

Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities. [1] Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities. Hiding problems could cause a feeling of false security. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months.

Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion. [3] [4] Some organizations have set up a bug bounty program to reward reporting vulnerabilities through proper channels. These include Facebook, Google, and Barracuda Networks. [5] [ failed verification ]

Disclosure

Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. [6]

ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor. [7]

Managed vulnerability disclosure

In addition to internally operated vulnerability disclosure programs, some organizations rely on managed vulnerability disclosure services provided by third-party security vendors. In this model, an external provider operates and maintains the vulnerability reporting channel on behalf of the organization, performs initial triage and validation of incoming reports, and coordinates communication between reporters and the affected organization. Managed approaches are typically used by organizations that lack dedicated internal security resources or that receive a high volume of vulnerability submissions.

Managed vulnerability disclosure services generally align with established coordinated disclosure frameworks, such as those published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [8] and the European Union Agency for Cybersecurity (ENISA) [9] , and are commonly designed to support standards including ISO/IEC 29147 and ISO/IEC 30111. Industry guidance describes these services as a way to improve responsiveness, reduce legal risk for researchers through safe-harbor language, and ensure consistent handling of vulnerability reports, while maintaining the organization’s responsibility for remediation and final disclosure decisions. Several commercial vulnerability management and bug bounty platforms offer managed disclosure as part of broader security testing or vulnerability coordination services, like Hackrate, who also participate directly in vulnerability identification by acting as CVE Numbering Authorities (CNAs), enabling them to assign CVE identifiers as part of the coordinated disclosure process. [10]

Examples

Selected security vulnerabilities resolved by applying coordinated disclosure:

See also

References

  1. 1 2 Ding, Aaron Yi; De jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical hacking for boosting IoT vulnerability management". Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing. Ictrs '19. Rhodes, Greece: ACM Press. pp. 49–55. arXiv: 1909.11166 . doi:10.1145/3357767.3357774. ISBN   978-1-4503-7669-3. S2CID   202676146.
  2. Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (2018-11-19). "Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure" (PDF). Crime Science. 7 (1): 16. doi: 10.1186/s40163-018-0090-8 . ISSN   2193-7680. S2CID   54080134. Archived (PDF) from the original on 2024-10-02. Retrieved 2024-10-02.
  3. Kuhn, John (27 May 2016). "Bug Poaching: A New Extortion Tactic Targeting Enterprises". Security Intelligence. Archived from the original on 23 January 2022. Retrieved 23 January 2022.
  4. Rashid, Fahmida (9 September 2015). "Extortion or fair trade? The value of bug bounties". InfoWorld. Archived from the original on 23 January 2022. Retrieved 23 January 2022.
  5. Walshe, T.; Simpson, A.C. (2022). "Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations". Computers & Security. 123 102936. doi: 10.1016/j.cose.2022.102936 . Retrieved 2023-08-21.
  6. "Feedback and data-driven updates to Google's disclosure policy". Project Zero. 2015-02-13. Archived from the original on 2021-05-15. Retrieved 2018-11-17.
  7. "Disclosure Policy". www.zerodayinitiative.com. Archived from the original on 2021-02-25. Retrieved 2018-11-17.
  8. "Coordinated Vulnerability Disclosure Program | CISA". www.cisa.gov. Retrieved 2026-01-18.
  9. "Coordinated Vulnerability Disclosure Policies in the EU | ENISA". www.enisa.europa.eu. 2025-11-06. Retrieved 2026-01-18.
  10. "CVE: Common Vulnerabilities and Exposures - Hackrate Kft". www.cve.org. Retrieved 2026-01-18.
  11. "MD5 collision attack that shows how to create false CA certificates". Archived from the original on 2021-05-07. Retrieved 2009-04-29.
  12. Goodin, Dan (2015-05-24). "Researcher who exploits bug in Starbucks gift cards gets rebuke, not love". Ars Technica. Archived from the original on 2023-05-16. Retrieved 2023-05-16.
  13. "Dan Kaminsky discovery of DNS cache poisoning" (PDF). Archived (PDF) from the original on 2012-07-07. Retrieved 2009-04-29.
  14. "MIT students find vulnerability in the Massachusetts subway security". Archived from the original on 2016-03-18. Retrieved 2009-04-29.
  15. "Researchers break the security of the MIFARE Classic cards" (PDF). Archived from the original (PDF) on 2021-03-18. Retrieved 2009-04-29.
  16. 1 2 "Project Zero: Reading privileged memory with a side-channel". 3 January 2018. Archived from the original on 1 October 2019. Retrieved 2 October 2024.
  17. The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli Archived 2017-11-12 at the Wayback Machine , Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas, November 2017
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.