Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review ZDI blog post for suggestions: Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD #47

Open
ahouseholder opened this issue Jul 17, 2024 · 2 comments
Open

Review ZDI blog post for suggestions: Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD #47

ahouseholder opened this issue Jul 17, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@ahouseholder
Copy link
Collaborator

Dustin Childs published a blog post UNCOORDINATED VULNERABILITY DISCLOSURE: THE CONTINUING ISSUES WITH CVD on
July 15, 2024. Is there anything in https://www.zerodayinitiative.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd that would prompt us to change anything in the guide?

concerns we don't already address, expanding existing descriptions, adding or updating references, etc.
@ahouseholder ahouseholder added the enhancement New feature or request label Jul 17, 2024
@sei-vsarvepalli
Copy link

sei-vsarvepalli commented Jul 17, 2024
edited
Loading

Yeh I think so.. At least a few I can see.

  1. Vendors having to de-duplicate reports or acknowledge multiple related vulnerability reports
  2. Vendors already aware of a vulnerability (sometimes internally discovered or reported) but have it in their queue, sometimes long queue, till they see an exploit or any CVD trigger from another reporter with higher embargo.

@ahouseholder
Copy link
Collaborator Author

(my own list, independent of previous comment)

  • We might expand https://certcc.github.io/CERT-Guide-to-CVD/topics/principles/avoid_surprise to address the vendor surprising the reporter with publication. Appears to be a case where an agreed embargo was cut short because the vendor terminated early, and the reporter found out via the publication rather than via communication within the case.
  • What to do when disagreement on things like CVSS vector elements (Exploit Code Maturity is a point of contention in the post)
  • We don't really address "one-sided coordination" directly. From the post:

CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where “coordination” simply means “You tell us everything you know about this bug, and maybe something will happen.”

Vendors want researchers to trust them, but they aren’t taking the necessary steps to earn our trust. What’s sad is that we aren’t asking for a lot. Tell us you’ve received the report. Confirm or deny our findings. Tell us when a patch is coming. Acknowledge us appropriately (and spell our name right). And finally, once the patch is available, tell us where we can find the patch. Strangely, one of the biggest problems we have at the ZDI is just getting vendors to tell us when something is fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ahouseholder @sei-vsarvepalli