How to Win Friends and Coordinate a Vulnerability
The CERT/CC Vulnerability Analysis team for nearly 30 years now has provided assistance for coordinated vulnerability disclosure (CVD). In a nutshell, we help security researchers communicate with software vendors to resolve security issues, and we get that information in the hands of anyone affected by the vulnerability. The CVD process can be confusing. To help researchers and vendors who are new to CVD, we're announcing a couple of simple but important additions to our CVD services.
First, we're launching a Vulnerability Analysis Wiki, or "VulWiki" for short. The VulWiki is meant to provide information to security researchers and software vendors on best practices for handling coordinated vulnerability disclosure. We hope the information will be useful to stakeholders that wish to perform CVD themselves as well as those that wish to work directly with us.
For example, we often get questions about the CVE ID assignment process so we drafted a CVE IDs and How to Obtain Them page, now available on the VulWiki. We also have tutorials and tips for using our CERT tools (such as our fuzzers BFF and FOE) on the VulWiki, and expect to use the VulWiki as a collaboration platform with other researchers and organizations in the future. Watch for the number of articles to grow over time as we continually add and refine the content.
Updated Vulnerability Reporting Form
Secondly, security researchers looking for help disclosing a vulnerability and notifying vendors may fill out our Vulnerability Reporting Form. Our form has been revamped to be more useful by guiding new reporters through the process of analyzing and reporting a vulnerability. We also refined the questions so we can better understand your situation and how to help.
If you have comments on the new Vulnerability Reporting Form or the VulWiki, please let us know your thoughts.