As part of their mission to encourage global coordination and a global language, the Forum of Incident Response and Security Teams (FIRST) has released an updated set of coordination principles – Guidelines for Multi-Party Vulnerability Coordination and Disclosure version 1.1. The purpose of the Guidelines is to improve coordination and communication across different stakeholders during a vulnerability disclosure and provide best practices, policy and processes for reporting any issues across multiple vendors. It is targeted at vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time. The new Guidelines can be found here.
Previous best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination. Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third-party software, supply chain vulnerabilities and the support challenges facing CSIRTs and PSIRTs are just a few of the complicating aspects.
Art Manion, Vulnerability Analysis Technical Manager, CERT Coordination Center said: "As software development becomes more complex and connected to supply chains, coordinated vulnerability disclosure practices need to evolve. The updated Guidelines are a step in that evolution, deriving guidance and principles from practical use cases."
The Guidelines for Multi-Party Vulnerability Coordination and Disclosure contains a collection of best current practices that consider more complex as well as typical real-life scenarios that go beyond a single researcher reporting a vulnerability to a single company.
The Guidance includes:
- Establish a strong foundation of processes and relationships
- Maintain clear and consistent communications
- Build and maintain trust
- Minimize exposure for stakeholders
- Respond quickly to early disclosure
- Use coordinators when appropriate
- Multi-Party Disclosure Use Cases
FIRST Chair, Serge Droz said: “The Guidelines for Multi-Party Vulnerability Coordination and Disclosure is an important step towards a better and more responsible way of managing vulnerabilities. It was crucial that these Guidelines were created in tandem with key stakeholders who may be affected by multi-party vulnerabilities. I am proud that FIRST was able to bring these stakeholders together to work on this very important document.”