Coordinated vulnerability disclosure explained

In computer security, coordinated vulnerability disclosure (CVD, formerly known as responsible disclosure)[1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue.[2] This coordination distinguishes the CVD model from the "full disclosure" model.

Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities. Hiding problems could cause a feeling of false security. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months.

Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion.[3] [4] While a market for vulnerabilities has developed, vulnerability commercialization (or "bug bounties") remains a hotly debated topic. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organizations follow the coordinated vulnerability disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCP or ZDI.[5] Independent firms financially supporting coordinated vulnerability disclosure by paying bug bounties include Facebook, Google, and Barracuda Networks.[6]

Disclosure policies

Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.[7]

ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor.[8]

Examples

Selected security vulnerabilities resolved by applying coordinated disclosure:

See also

External links

External links

Notes and References

  1. Book: Ding. Aaron Yi. De jesus. Gianluca Limon. Janssen. Marijn. Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing . Ethical hacking for boosting IoT vulnerability management . 2019. http://dl.acm.org/citation.cfm?doid=3357767.3357774. Ictrs '19. en. Rhodes, Greece. ACM Press. 49–55. 10.1145/3357767.3357774. 978-1-4503-7669-3. 1909.11166. 202676146.
  2. Weulen Kranenbarg . Marleen . Holt . Thomas J. . van der Ham . Jeroen . 2018-11-19 . Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure . Crime Science . en . 7 . 1 . 16 . 10.1186/s40163-018-0090-8 . 54080134 . 2193-7680. free .
  3. News: Kuhn . John . Bug Poaching: A New Extortion Tactic Targeting Enterprises . 23 January 2022 . Security Intelligence . 27 May 2016.
  4. News: Rashid . Fahmida . Extortion or fair trade? The value of bug bounties . 23 January 2022 . InfoWorld . 9 September 2015.
  5. Web site: Modelling the Security Ecosystem - The Dynamics of (In)Security . Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel . 2008.
  6. Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations. 2022 . 10.1016/j.cose.2022.102936 . 2023-08-21 . Walshe . T. . Simpson . A.C. . Computers & Security . 123 .
  7. Web site: Feedback and data-driven updates to Google's disclosure policy. 2015-02-13. Project Zero. 2018-11-17.
  8. Web site: Disclosure Policy. www.zerodayinitiative.com. 2018-11-17.
  9. Web site: MD5 collision attack that shows how to create false CA certificates.
  10. Web site: Goodin . Dan . 2015-05-24 . Researcher who exploits bug in Starbucks gift cards gets rebuke, not love . 2023-05-16 . Ars Technica . en-us.
  11. Web site: Dan Kaminsky discovery of DNS cache poisoning.
  12. Web site: MIT students find vulnerability in the Massachusetts subway security. 2009-04-29. 2016-03-18. https://web.archive.org/web/20160318232330/http://tech.mit.edu/V128/N30/subway.html. dead.
  13. Web site: Researchers break the security of the MIFARE Classic cards. 2009-04-29. 2021-03-18. https://web.archive.org/web/20210318132610/http://www2.ru.nl/media/pressrelease.pdf. dead.
  14. Web site: Project Zero: Reading privileged memory with a side-channel. 3 January 2018.
  15. https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli