FIRST Updates Coordination Principles for Multi-Party Vulnerability Coordination and Disclosure
As part of their mission to encourage global coordination and a global language, the Forum of Incident Response and Security Teams (FIRST) has released an updated set of coordination principles – Guidelines for Multi-Party Vulnerability Coordination and Disclosure version 1.1. The purpose of the Guidelines is to improve coordination and communication across different stakeholders during a vulnerability disclosure and provide best practices, policy and processes for reporting any issues across multiple vendors. It is targeted at vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time. The new Guidelines can be found here.
Previous best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination. Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third-party software, supply chain vulnerabilities and the support challenges facing CSIRTs and PSIRTs are just a few of the complicating aspects.