Garret Wassermann

Garret Wassermann

he/him

Security Engineer @ GitLab

The CERT Guide to Coordinated Vulnerability Disclosure

Published in Software Engineering Institute Special Report, 2017

The CERT Guide to Coordinated Vulnerability Disclosure

CMU/SEI Special Report CMU/SEI-2017-SR-022

DOI 10.1184/R1/12367340.v1

By Allen D. Householder, Garret Wassermann, Art Manion, and Christopher King This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go awry and how to respond when it does so.

Full Abstract: Security vulnerabilities remain a problem for vendors and deployers of software-based systems alike. Vendors play a key role by providing fixes for vulnerabilities, but they have no monopoly on the ability to discover vulnerabilities in their products and services. Knowledge of those vulnerabilities can increase adversarial advantage if deployers are left without recourse to remediate the risks they pose. Coordinated Vulnerability Disclosure (CVD) is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public. The CERT Coordination Center has been coordinating the disclosure of software vulnerabilities since its inception in 1988. This document is intended to serve as a guide to those who want to initiate, develop, or improve their own CVD capability. In it, the reader will find an overview of key principles underlying the CVD process, a survey of CVD stakeholders and their roles, and a description of CVD process phases, as well as advice concerning operational considerations and problems that may arise in the provision of CVD and related services.

Download paper here

2019 revised version published as a wiki

Related: A 2016 series of SEI blog posts I authored describing coordinated vulnerability disclosure

Recommended citation: Householder, Allen D.; Wassermann, Garret; Manion, Art; & King, Christopher. The CERT Guide to Coordinated Vulnerability Disclosure. Software Engineering Institute. 2017.

Recommended citation: Householder, Allen D.; Wassermann, Garret; Manion, Art; & King, Christopher. The CERT Guide to Coordinated Vulnerability Disclosure. Software Engineering Institute. 2017. https://insights.sei.cmu.edu/library/the-cert-guide-to-coordinated-vulnerability-disclosure-2/
Download Paper