The CERT Guide to Coordinated Vulnerability Disclosure
March 2020 • Podcast
Allen Householder and David Warren discuss the CERT Guide to Coordinated Vulnerability Disclosure, which is used by security researchers, software vendors, and other stakeholders in informing others about security vulnerabilities.
“Our guide came up because we realized that more people were needing to do disclosure and coordinated disclosures. It is not just software vendors. It also is government agencies and any manufacturer now that has some smart component or Internet of Things device.”
Software Engineering Institute
Security vulnerabilities remain a problem for vendors and deployers of software-based systems alike. Vendors play a key role by providing fixes for vulnerabilities, but they have no monopoly on the ability to discover vulnerabilities in their products and services. Knowledge of those vulnerabilities can increase adversarial advantage if deployers are left without recourse to remediate the risks they pose. Coordinated Vulnerability Disclosure (CVD) is the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders, including the public. The CERT Coordination Center has been coordinating the disclosure of software vulnerabilities since its inception in 1988. In this podcast, Allen Householder and David Warren discuss the CERT Guide to Coordinated Vulnerability Disclosure, which is intended for use by security researchers, software vendors, and other stakeholders in navigating the complexities of informing others about security vulnerabilities. The Guide was recently updated in response to user feedback and has influenced both the U.S. Congress and EU Parliament in their approaches to vulnerability disclosure policy.