Update on the CERT Guide to Coordinated Vulnerability Disclosure
It's been two years since we originally published the CERT Guide to Coordinated Vulnerability Disclosure. In that time, it's influenced both the US Congress and EU Parliament in their approaches to vulnerability disclosure. I wanted to provide an update on how the Guide is evolving in response to all the feedback we received.
First, we've encapsulated much of our advice into a troubleshooting table similar to one you might find at the back of an appliance manual. We've organized it by problem, the parties affected, and the phases in which those problems can arise. Of all the changes we've made thus far this is, in my opinion, the most significant new contribution since the Guide's initial publication.
Second, we've turned the entire document into a web site which allows us to make revisions and get feedback more efficiently. Additionally, having the content available in a web site format allows folks to link directly to the relevant portion of the document without having to plow through a 120+ page PDF file.
Third, we've expanded on a number of details, including:
- added new specific advice to reporters on how to find vendor contacts, in section 4.2 Reporting
- added advice about when to engage coordinators to 4.5 Gaining Public Awareness
- expanded 4.6 Promote Deployment to include advice for vulnerabilities affecting critical infrastructure and to address feedback we received from Congress (clarifying that patch available and patch deployed are two separate events)
- added a collection of resource links for researchers and vendors to find and validate web-related vulnerabilities in Appendix F
- added a list of links to significant appearances of the Guide in Sightings
- made various minor fixes (a complete change history can be found in Recent Changes)
Fourth, we've heard your feedback that 120+ pages is a lot to get through. We're still evaluating our options for providing something more succinct, but in the meantime we've created a CVD Quick Start meta-guide that points to various jumping-off points for folks who have more specific needs than what a linear reading of the Guide might offer.
Finally, we'd like to continue to encourage and receive your feedback. To that end we've created an issue tracker under our GitHub presence to capture your suggestions, be they large or small. We want this Guide to reflect not just our experience here at CERT/CC, but to include hard-won knowledge from finders, reporters, vendors, and coordinators, and stakeholders alike. Our goal is to provide the most comprehensive advice available to improve the world's response to vulnerable software. So if you have a suggestion on how we can improve the Guide, please create an issue in the GitHub tracker so we can start the conversation.