FIRST updates coordination principles for Multi-Party Vulnerability Coordination and Disclosure

May 5th, 2020 – As part of their mission to encourage global coordination and a global language, the Forum of Incident Response and Security Teams (FIRST) has released an updated set of coordination principles – Guidelines for Multi-Party Vulnerability Coordination and Disclosure version 1.1. The purpose of the Guidelines is to improve coordination and communication across different stakeholders during a vulnerability disclosure and provide best practices, policy and processes for reporting any issues across multiple vendors. It is targeted at vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time. The new Guidelines can be found here.

Previous best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination. Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third party software, supply chain vulnerabilities, and the support challenges facing CSIRTs and PSIRTs are just a few of the complicating aspects.

Art Manion, Vulnerability Analysis Technical Manager, CERT Coordination Center said: "As software development becomes more complex and connected to supply chains, coordinated vulnerability disclosure practices need to evolve. The updated Guidelines are a step in that evolution, deriving guidance and principles from practical use cases."

The Guidelines for Multi-Party Vulnerability Coordination and Disclosure contains a collection of best current practices that consider more complex as well as typical real-life scenarios that go beyond a single researcher reporting a vulnerability to a single company.

The Guidance includes:

  • Establish a strong foundation of processes and relationships
  • Maintain clear and consistent communications
  • Build and maintain trust
  • Minimize exposure for stakeholders
  • Respond quickly to early disclosure
  • Use coordinators when appropriate
  • Multi-Party Disclosure Use Cases

FIRST Chair, Serge Droz said: “The Guidelines for Multi-Party Vulnerability Coordination and Disclosure is an important step towards a better and more responsible way of managing vulnerabilities. It was crucial that these Guidelines were created in tandem with key stakeholders who may be affected by multi-party vulnerabilities. I am proud that FIRST was able to bring these stakeholders together to work on this very important document.”

Also available in PDF


About FIRST

Founded in 1990, the Forum of Incident Response and Security Teams (FIRST) consists of internet emergency response teams from more than 360 corporations, government bodies, universities and other institutions across 78 countries in the Americas, Asia, Europe, Africa, and Oceania. It promotes cooperation among computer security incident response teams. For more information, visit: www.first.org.

Media Contacts

Mandy Queen
Cred Communications Ltd
Tel: +852 9684 7365 | +852 2110 3519
Email: mandy@credcommunications.com