Software Engineering Institute

 Media reports about Zero Days, bug bounties, and branded vulnerabilities usually focus on the publication of a vulnerability report. Vulnerability disclosure policies recently hit the mainstream with public kerfuffles between Google and Microsoft over the timing a few vulnerability announcements. However, public reports largely ignore the process of coordination and disclosure that precedes a publication event. For the past 26 years at the CERT Coordination Center, we have been helping connect security researchers and vendors in the interest of improving the security of the Internet and providing users and administrators with the information they need to secure their systems. In this talk I’ll describe the process of coordinating vulnerability disclosures, why it’s hard, and some of the pitfalls and hidden complexities we have encountered. This will be a behind-the-scenes look at a process that doesn’t receive much attention yet is of critical importance to internet security.