Events in 2014 have once again highlighted the need for improvements in the area of vulnerability coordination. Historically, foundational work on best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and does not adequately address the current complexities of vulnerability coordination. Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third party software and the support challenges facing CSIRTs are just a few of the complicating aspects.
No single entity or group of stakeholders has tried to solve this coordination challenge, as it requires a multi-faceted perspective looking at working a multi-stakeholder solution. The Examples of Heartbleed and other issues in 2014 are spotlighting the coordination challenges, thus we would like to take the opportunity to have a community-led work group to address the challenges and opportunities and how the response community might develop a multi-faceted solution.
Develop and execute a strategy for improving vulnerability coordination globally.
Develop and Publish vulnerability coordination best practices which include use cases or examples that describe scenario and disclosure paths:
A draft of Guidelines and Practices for Multi-Party Vulnerability Coordination has been published.
ICASI member companies (Microsoft, Amazon, Juniper, Intel, Blackberry, Cisco, IBM, Oracle), who are all members of FIRST, have indicated a willingness to participate. In addition, a BOF meeting at the 2014 FIRST Conference also engender major interest from participants looking to FIRST take the leading action.