computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, the ...

, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to

patch Patch or Patches may refer to: Arts, entertainment and media * Patch Johnson, a fictional character from ''Days of Our Lives'' * Patch (''My Little Pony''), a toy * "Patches" (Dickey Lee song), 1962 * "Patches" (Chairmen of the Board song) ...

or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the " full disclosure" model. Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities.

Hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...

and computer security scientists have the opinion that it is their

social responsibility Social responsibility is an ethical framework in which an individual is obligated to work and cooperate with other individuals and organizations for the benefit of the community that will inherit the world that individual leaves behind. Social ...

to make the public aware of vulnerabilities. Hiding problems could cause a feeling of

false security False or falsehood may refer to: *False (logic), the negation of truth in classical logic *Lie or falsehood, a type of deception in the form of an untruthful statement *false (Unix), a Unix command * ''False'' (album), a 1992 album by Gorefest *Ma ...

. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months. Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion. While a market for vulnerabilities has developed, vulnerability commercialization (or "bug bounties") remains a hotly debated topic. Today, the two primary players in the commercial vulnerability market are iDefense, which started their vulnerability contributor program (VCP) in 2003, and

TippingPoint TippingPoint, part of Trend Micro Security, is an American software company founded in 1999 with focus on network security products, particularly intrusion prevention systems for networks. History The company was founded in January 1999 under ...

, with their zero-day initiative (ZDI) started in 2005. These organizations follow the coordinated vulnerability disclosure process with the material bought. Between March 2003 and December 2007 an average 7.5% of the vulnerabilities affecting Microsoft and Apple were processed by either VCP or ZDI. Independent firms financially supporting coordinated vulnerability disclosure by paying bug bounties include

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin M ...

Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...

, and

Barracuda Networks Barracuda Networks, Inc. is a company providing security, networking and storage products based on network appliances and cloud services. The company's security products include products for protection against email, web surfing, web hackers ...

Disclosure policies

Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor.

Examples

Selected

security vulnerabilities Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by ...

resolved by applying coordinated disclosure: * MD5 collision attack that shows how to create false CA certificates, 1 week *

Starbucks Starbucks Corporation is an American multinational chain of coffeehouses and roastery reserves headquartered in Seattle, Washington. It is the world's largest coffeehouse chain. As of November 2021, the company had 33,833 stores in 80 c ...

gift card double-spending/race condition to create free extra credits, 10 days (Egor Homakov) *

Dan Kaminsky Daniel Kaminsky (February 7, 1979 – April 23, 2021) was an American computer security researcher. He was a co-founder and chief scientist of WhiteOps, a computer security company. He previously worked for Cisco, Avaya, and IOActive, where h ...

discovery of

DNS cache poisoning DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g ...

, 5 months * MBTA vs. Anderson, MIT students find vulnerability in the Massachusetts subway security, 5 months *

Radboud University Nijmegen Radboud University (abbreviated as RU, nl, Radboud Universiteit , formerly ''Katholieke Universiteit Nijmegen'') is a public research university located in Nijmegen, the Netherlands. The university bears the name of Saint Radboud, a 9th century D ...

breaks the security of the

MIFARE MIFARE is the NXP Semiconductors-owned trademark of a series of integrated circuit (IC) chips used in contactless smart cards and proximity cards. The brand name covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type A ...

Classic cards, 6 months * The Meltdown vulnerability, hardware vulnerability affecting Intel x86 microprocessors and some

ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between th ...

-based microprocessors, 7 months. * The Spectre vulnerability, hardware vulnerability with implementations of

branch prediction In computer architecture, a branch predictor is a digital circuit that tries to guess which way a branch (e.g., an if–then–else structure) will go before this is known definitively. The purpose of the branch predictor is to improve the flow ...

affecting modern microprocessors with

speculative execution Speculative execution is an optimization technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing ...

, allowing malicious processes access to the mapped memory contents of other programs, 7 months. * The ROCA vulnerability, affecting RSA keys generated by an

Infineon Infineon Technologies AG is a German semiconductor manufacturer founded in 1999, when the semiconductor operations of the former parent company Siemens AG were spun off. Infineon has about 50,280 employees and is one of the ten largest semicond ...

library and

Yubikey The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Fac ...

s, 8 months.The Return of Coppersmith’s Attack: Practical Factorization of Widely Used RSA Moduli
Matus Nemec, Marek Sys, Petr Svenda, Dusan Klinec,Vashek Matyas, November 2017

External links

References

{{reflist Computer security procedures Disclosure *

Disclosure policies

Examples

See also

External links

References