Top Qs
Timeline
Chat
Perspective
Coordinated vulnerability disclosure
Model for disclosing computer security vulnerabilities From Wikipedia, the free encyclopedia
Remove ads
In computer security, coordinated vulnerability disclosure (CVD, sometimes known as responsible disclosure)[1] is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue.[2] This coordination distinguishes the CVD model from the "full disclosure" model.
 | This article needs additional citations for verification. (February 2021) |
Developers of hardware and software often require time and resources to repair their mistakes. Often, it is ethical hackers who find these vulnerabilities.[1] Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities. Hiding problems could cause a feeling of false security. To avoid this, the involved parties coordinate and negotiate a reasonable period of time for repairing the vulnerability. Depending on the potential impact of the vulnerability, the expected time needed for an emergency fix or workaround to be developed and applied and other factors, this period may vary between a few days and several months.
Coordinated vulnerability disclosure may fail to satisfy security researchers who expect to be financially compensated. At the same time, reporting vulnerabilities with the expectation of compensation is viewed by some as extortion.[3][4] Some organizations have set up a bug bounty program to reward reporting vulnerabilities through proper channels. These include Facebook, Google, and Barracuda Networks.[5][failed verification]
Remove ads
Disclosure policies
Google Project Zero has a 90-day disclosure deadline which starts after notifying vendors of vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.[6]
ZDI has a 120-day disclosure deadline which starts after receiving a response from the vendor.[7]
Examples
Selected security vulnerabilities resolved by applying coordinated disclosure:
- MD5 collision attack that shows how to create false CA certificates, 1 week[8]
- Starbucks gift card double-spending/race condition to create free extra credits, 10 days (Egor Homakov)[9]
- Dan Kaminsky discovery of DNS cache poisoning, 5 months[10]
- MBTA vs. Anderson, MIT students find vulnerability in the Massachusetts subway security, 5 months[11]
- Radboud University Nijmegen breaks the security of the MIFARE Classic cards, 6 months[12]
- The Meltdown vulnerability, hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors, 7 months.[13]
- The Spectre vulnerability, hardware vulnerability with implementations of branch prediction affecting modern microprocessors with speculative execution, allowing malicious processes access to the mapped memory contents of other programs, 7 months.[13]
- The ROCA vulnerability, affecting RSA keys generated by an Infineon library and Yubikeys, 8 months.[14]
Remove ads
See also
References
External links
External links
Wikiwand - on
Seamless Wikipedia browsing. On steroids.
Remove ads