Multi-Party Coordination and Disclosure

Multi-Party Coordination

Events in the recent past have highlighted the need for real improvements in the area of vulnerability coordination. Historically, foundational work on best practices, policy, and process for vulnerability disclosure have focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination. Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third party software, and the support challenges facing CSIRTs and PSIRTs or bug bounty programs are just a few of the complications. Examples such as Heartbleed highlight coordination challenges.

The Industry Consortium for Advancement of Security on the Internet (ICASI) proposed to the FIRST Board of Directors that a Special Interest Group (SIG) be considered on Vulnerability Disclosure. After holding meetings at the FIRST Conferences in Boston in June 2015, ICASI formally requested FIRST to charter a SIG to review and update vulnerability coordination guidelines

In March 2016, the National Telecommunications and Information Association (NTIA) convened a multi-stakeholder process to investigate cybersecurity vulnerabilities. One of the efforts within this process focused on multi-party coordination. In June 2016, the NTIA multi-party effort joined the similar effort underway within the FIRST Vulnerability Coordination SIG. This combined effort has produced a document that derives multiparty disclosure guidelines and practices from common coordination scenarios and variations. Subsequent work will address bi-lateral coordination and approaches to notification.

Draft for Public Comment

A provisional draft of Guidelines and Practices for Multi-Party Vulnerability Coordination has been published. A final draft will be posted on December 21, 2016 and will be open to public comment through January 31, 2017.

FIRST Vulnerability Coordination SIG is a multi-stack hold group. While the SIG is a cluster of the top vulnerability coordination experts, it is also known that others may have valuable contributions. FIRST and the SIG seeks out productive contributions to this draft.

Comments should be submitted by email to vulcoord-sig-comments@first.org. Comments that are well explained and include proposed changes will be prioritized. After the comment period is closed, the SIG will revise the document and publish a final version.