CERT/CC Vulnerability Disclosure Policy


Publications Catalog

Secure Coding Vulnerability Analysis

Cyber Security Engineering Network Situational Awareness

Resilience Management Insider Threat Governance

CSIRT Development National CSIRTs Forensics

CERT Training Courses Virtual Training Environment CERT Exercise Network (XNET) Certification Curricula

CERT/CC Vulnerability Disclosure Policy

All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. Disclosures made by the CERT/CC will include credit to the reporter unless otherwise requested by the reporter. We will apprise any affected vendors of our publication plans, and negotiate alternate publication schedules with the affected vendors when required.

It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.

Vulnerabilities reported to us will be forwarded to the affected vendors as soon as practical after we receive the report. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter. We will advise the reporter of significant changes in the status of any vulnerability he or she reported to the extent possible without revealing information provided to us in confidence.

Vulnerabilities that are especially serious will be disclosed in US-CERT Alerts. Other vulnerabilities will be disclosed in US-CERT Vulnerability Notes.

Frequently asked questions regarding this policy

Q: Does this mean CERT/CC is going "full disclosure?"

A: We will not distribute exploits, if that's what "full disclosure" means. In our experience, the number of people who can benefit from the availability of exploits is small compared to the number of people who get harmed by people who use exploits maliciously. We will, however, disclose information about vulnerabilities that we might not have previously disclosed. Within the limits of our resources, we will publish information about as many vulnerabilities as we can.

Q: Why not 30 days, or 15 days, or immediately?

A: We think that 45 days can be a pretty tough deadline for a large organization to meet. Making it shorter won't realistically help the problem. In the absence of evidence of exploitation, gratuitously announcing vulnerabilities may not be in the best interest of public safety.

Q: Wouldn't it be better to keep vulnerabilities quiet if there isn't a fix available?

A: Vulnerabilities are routinely discovered and disclosed, frequently before vendors have had a fair opportunity to provide a fix, and disclosure often includes working exploits. In our experience, if there is not responsible, qualified disclosure of vulnerability information then researchers, programmers, system administrators, and other IT professionals who discover vulnerabilities often feel they have no choice but to make the information public in an attempt to coerce the vendors into addressing the problem.

Q: Will all vulnerabilities be disclosed within 45 days?

A: No. There may often be circumstances that will cause us to adjust our publication schedule. Threats that are especially serious or for which we have evidence of exploitation will likely cause us to shorten our release schedule. Threats that require "hard" changes (changes to standards, changes to core operating system components) will cause us to extend our publication schedule.

Q: Will you surprise vendors with announcements of vulnerabilities?

A: No. Prior to public disclosure, we'll make a good faith effort to inform vendors of our intentions.

Q: If a vendor disagrees with your assessment of a problem, will that information be available?

A: Yes. We solicit and post authenticated vendor statements and reference relevant vendor information in vulnerability notes. We will not withhold vendor-supplied information simply because it disagrees with our assessment of the problem.

Q: Who gets the information prior to public disclosure?

A: Generally, we provide the information to anyone who can contribute to the solution and with whom we have a trusted relationship, including vendors (often including vendors whose products are not vulnerable), community experts, CERT/CC sponsors, and sites that are part of a national critical infrastructure, if we believe those sites to be at risk.

Last updated May 15, 2008

Copyright 2000, 2008 Carnegie Mellon University
CERT and CERT Coordination Center are registered in the U.S. Patent & Trademark Office
Disclaimers and copyright information

Related searches:
public disclosed reporter affected vendor

gipoco.com is neither affiliated with the authors of this page or responsible
for its contents. This is a safe-cache copy of the original web site.

gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.