Model for disclosing computer security vulnerabilities
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Coordinated vulnerability disclosure" – news · newspapers · books · scholar · JSTOR(February 2021) (Learn how and when to remove this message)
In computer security, coordinated vulnerability disclosure (CVD, formerly known as responsible disclosure)[1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue.[2] This coordination distinguishes the CVD model from the "full disclosure" model.
Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities.[1] Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities. Hiding problems could cause a feeling of false security. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months.
Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion.[3][4] While a market for vulnerabilities has developed, vulnerability commercialization (or "bug bounties") remains a hotly debated topic. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organizations follow the coordinated vulnerability disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCP or ZDI.[5] Independent firms financially supporting coordinated vulnerability disclosure by paying bug bounties include Facebook, Google, and Barracuda Networks.[6]
^ abDing, Aaron Yi; De jesus, Gianluca Limon; Janssen, Marijn (2019). "Ethical hacking for boosting IoT vulnerability management". Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing. Ictrs '19. Rhodes, Greece: ACM Press. pp. 49–55. arXiv:1909.11166. doi:10.1145/3357767.3357774. ISBN 978-1-4503-7669-3. S2CID 202676146.
^Weulen Kranenbarg, Marleen; Holt, Thomas J.; van der Ham, Jeroen (2018-11-19). "Don't shoot the messenger! A criminological and computer science perspective on coordinated vulnerability disclosure" (PDF). Crime Science. 7 (1): 16. doi:10.1186/s40163-018-0090-8. ISSN 2193-7680. S2CID 54080134.
^Kuhn, John (27 May 2016). "Bug Poaching: A New Extortion Tactic Targeting Enterprises". Security Intelligence. Retrieved 23 January 2022.
^Rashid, Fahmida (9 September 2015). "Extortion or fair trade? The value of bug bounties". InfoWorld. Retrieved 23 January 2022.
^
Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammel (2008). "Modelling the Security Ecosystem - The Dynamics of (In)Security".{{cite web}}: CS1 maint: multiple names: authors list (link)
^"Coordinated Vulnerability Disclosure programme effectiveness: Issues and recommendations". Retrieved 2023-08-21.
and 26 Related for: Coordinated vulnerability disclosure information
recourse to inviting them to participate as part of a comprehensive vulnerabilitydisclosure framework or policy. Hunter and Ready initiated the first known...
linchpins of its business model; pioneering bug bounty and coordinatedvulnerabilitydisclosure. As of December 2022, HackerOne's network had paid over $230...
their knowledge. The vulnerability was discovered and reported to the GSM Association through its CoordinatedVulnerabilityDisclosure process by Cathal...
vapor deposition China Video Disc, a CD-based video format Coordinatedvulnerabilitydisclosure, a computer-security practice Countervailing duties or anti-subsidy...
2014. The coordinatedvulnerabilitydisclosure platform allows independent security researchers to report XSS and similar security vulnerabilities on any...
and capabilities to identify vulnerabilities before they can be exploited, including coordinatedvulnerabilitydisclosure processes. An investigation of...
services used by the reseller's customers. Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers...
known as Responsible CoordinatedDisclosure. In this case, the CERT/CC works privately with the vendor to address the vulnerability before a public report...
American computer security researcher, entrepreneur, and pioneer in vulnerabilitydisclosure, and is best known for her ongoing work advocating responsible...
release of the Nikto vulnerability scanner. In December 2002 Johnny Long began to collect Google search queries that uncovered vulnerable systems and/or sensitive...
research include: Discovery of 0-day vulnerabilities in cyber physical systems and coordinatedvulnerabilitydisclosure; Security assessment of ICS protocols...
Vrije Universiteit Amsterdam, in a disclosurecoordinated with Intel, published the discovery of the MDS vulnerabilities in Intel microprocessors, which...
same level of vulnerability. In cases like this, there is depth without much breadth. Several factors can affect the amount of self-disclosure between partners:...
Incident Response and Responsible VulnerabilityDisclosure program- NCIIPC runs these programs for reporting any Vulnerability in Critical Information Infrastructures...
programs even though the vulnerability does not directly relate to PGP but to the configuration of an email program. A coordinated publication was originally...
he termed as WikiLeaks' standard industry disclosure plan. The standard disclosure time for a vulnerability is 90 days after the company responsible for...
legislate as to what constitutes a protected disclosure, and the permissible methods of presenting a disclosure. Whistleblowing can occur in the private sector...
intruders from covering their tracks. Full disclosure of all vulnerabilities, to ensure that the window of vulnerability is kept as short as possible when bugs...
vulnerabilities with its third-party custom integrations. Later in January 2021, it made a second security disclosure about a security vulnerability....
spoofing vulnerabilities affecting Apple Safari, Yandex, Opera Mini, UC Browser, Opera Touch, Bolt Browser and RITS browser. The vulnerabilitydisclosure was...
PowerPoint Vulnerability". Schneier on Security. Example of report about vulnerability found in the wild with timing seemingly coordinated with "Patch...
intentionally breaks the coordinated boundary of privacy to disclose private information. An example of such intentional disclosure would be a daughter revealing...
of the vulnerability with Microsoft and coordinated public disclosure timed with the release of a patch by Microsoft to address the vulnerability. In 2018...
obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade...