HOME

TheInfoList



Click Here for Items Related To - responsible disclosure
OR:
responsible disclosure on:   [Wikipedia]   [Google]   [Amazon]

In
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
, coordinated vulnerability disclosure (CVD, sometimes known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the " full disclosure" model. Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities. Hiding problems could cause a feeling of false security. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months. Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion. Some organizations have set up a bug bounty program to reward reporting vulnerabilities through proper channels. These include
Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...
,
Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...
, and Barracuda Networks.


Disclosure policies

Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor.


Examples

Selected security vulnerabilities resolved by applying coordinated disclosure: * MD5 collision attack that shows how to create false CA certificates, 1 week *
Starbucks Starbucks Corporation is an American multinational List of coffeehouse chains, chain of coffeehouses and Starbucks Reserve, roastery reserves headquartered in Seattle, Washington. It was founded in 1971 by Jerry Baldwin, Zev Siegl, and Gor ...
gift card double-spending/race condition to create free extra credits, 10 days (Egor Homakov) * Dan Kaminsky discovery of DNS cache poisoning, 5 months * MBTA vs. Anderson, MIT students find vulnerability in the Massachusetts subway security, 5 months *
Radboud University Nijmegen Radboud University (abbreviated as RU, , formerly ) is a public university, public research university located in Nijmegen, Netherlands. RU has seven faculties and more than 24,000 students. Established in 1923, Radboud University has consistentl ...
breaks the security of the MIFARE Classic cards, 6 months * The Meltdown vulnerability, hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors, 7 months. * The Spectre vulnerability, hardware vulnerability with implementations of branch prediction affecting modern microprocessors with
speculative execution Speculative execution is an optimization (computer science), optimization technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that woul ...
, allowing malicious processes access to the mapped memory contents of other programs, 7 months. * The ROCA vulnerability, affecting RSA keys generated by an
Infineon Infineon Semiconductor solutions is the largest microcontroller manufacturer in the world, as well as Germany's largest semiconductor manufacturer. It is also the leading automotive semiconductor manufacturer globally. Infineon had roughly 58,0 ...
library and Yubikeys, 8 months.The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli
, Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec, Vashek Matyas, November 2017


See also

* Zero-day vulnerability * security.txt * Computer emergency response team


References


External links


The CERT Guide to Coordinated Vulnerability Disclosure

CISA Coordinated Vulnerability Disclosure (CVD) Process

Microsoft's Approach to Coordinated Vulnerability Disclosure

Dutch National Cyber Security Centre Coordinated Vulnerability Disclosure Guideline
(archive on archive.org)
Hewlett-Packard Coordinated Vulnerability Disclosure policy

Linksys Coordinated Vulnerability Disclosure Program

Global Forum on Cyber Expertise Coordinated Vulnerability Disclosure policy



ETSI Coordinated Vulnerability Disclosure policy


External links

* {{cite web, url=https://www.iso.org/standard/81807.html, title=ISO/IEC TR 5895:2022 - Multi-party coordinated vulnerability disclosure and handling Computer security procedures Disclosure *