In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a

vulnerability disclosure Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...

model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to

patch Patch or Patches may refer to: Arts, entertainment and media * Patch Johnson, a fictional character from ''Days of Our Lives'' * Patch (''My Little Pony''), a toy * "Patches" (Dickey Lee song), 1962 * "Patches" (Chairmen of the Board song) ...

or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "

full disclosure Full disclosure or Full Disclosure may refer to: Computers * Full disclosure (computer security), in computer security the practice of publishing analysis of software vulnerabilities as early as possible * Full disclosure (mailing list), a mail ...

" model. Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities.

Hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities. Hiding problems could cause a feeling of false security. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months. Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion. While a market for vulnerabilities has developed, vulnerability commercialization (or "bug bounties") remains a hotly debated topic. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and TippingPoint, with their zero-day initiative (ZDI) started in 2005. These organizations follow the coordinated vulnerability disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCP or ZDI. Independent firms financially supporting coordinated vulnerability disclosure by paying bug bounties include Facebook, Google, and Barracuda Networks.

Disclosure policies

Google Project Zero Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014. History After finding a number of flaws in software used by many end-users while researching other p ...

has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor.

Examples

Selected security vulnerabilities resolved by applying coordinated disclosure: * MD5 collision attack that shows how to create false CA certificates, 1 week *

Starbucks Starbucks Corporation is an American multinational chain of coffeehouses and roastery reserves headquartered in Seattle, Washington. It is the world's largest coffeehouse chain. As of November 2021, the company had 33,833 stores in 80 c ...

gift card double-spending/race condition to create free extra credits, 10 days (Egor Homakov) *

Dan Kaminsky Daniel Kaminsky (February 7, 1979 – April 23, 2021) was an American computer security researcher. He was a co-founder and chief scientist of WhiteOps, a computer security company. He previously worked for Cisco, Avaya, and IOActive, where h ...

discovery of DNS cache poisoning, 5 months * MBTA vs. Anderson, MIT students find vulnerability in the Massachusetts subway security, 5 months * Radboud University Nijmegen breaks the security of the MIFARE Classic cards, 6 months * The Meltdown vulnerability, hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors, 7 months. * The Spectre vulnerability, hardware vulnerability with implementations of branch prediction affecting modern microprocessors with speculative execution, allowing malicious processes access to the mapped memory contents of other programs, 7 months. * The

ROCA vulnerability The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". Th ...

, affecting RSA keys generated by an Infineon library and Yubikeys, 8 months.The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli
Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec,Vashek Matyas, November 2017

External links

References

{{reflist Computer security procedures Disclosure *

Disclosure policies

Examples

See also

External links

References