coordinated vulnerability disclosure

CERT Guide to Coordinated Vulnerability Disclosure announcement

2017/08/15 : Publication of the CERT Guide.

"The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into how CVD can go awry and how to respond when it does so...Read more

Thirty Minutes Or Less: An Oral History of the LØpht, Part Three

2018/03/08 : Dennis Fisher gives us an Oral History of the LØpht in four parts. This is the third part, when "[p]ieces in The Washington Post, Wired, and many other outlets raised the group's profile and brought its work to the attention of people far outside the hacker...Read more

THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS (Granick Article)

2005 : "Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an ...Read more

FIRST Vulnerability Coordination SIG

2014/06 : "The Industry Consortium for Advancement of Security on the Internet, ICASI, proposed to the FIRST Board of Directors that a Special Interest Group (SIG) be considered on Vulnerability Disclosure. After holding meetings at the FIRST Conferences in Boston in June 2014...Read more

Security.txt

A File Format to Aid in Security Vulnerability Disclosure (Security.txt)
Security.txt Standard Proposed, Similar to Robots.txt
The Telltale Text File: Security Researcher Proposes Standardization for Reporting Vulnerabilities (on Security.txt)
Guidelines and Practices for Multi-Party Vulnerability Coordination Open to Review (on FIRST Guidelines)

2017/01/20 : Omar Santos writes about the new FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure.

This artifact is part of the FIRST Vulnerability Disclosure Bundle...Read more

Geer Keynote at Black Hat 2014 - Cybersecurity as Realpolitik (transcription)

2014/08/06 : Here is the transcription of Dan Geer keynote at the Black Hat Conference of 2014. He explains how vulnerability research should now be recognized as a job and not a hobby anymore. It must be paid.

This artifact is part of the ...Read more

Coordinated Vulnerability Disclosure: Bringing Balance to the Force (Microsoft)

2010/07/22 : "Today on the MSRC [Microsoft Security Response Center] blog, Matt Thomlinson, General Manager of Trustworthy Computing Security, announced our new philosophy on Coordinated...Read more

Threat Complexity Requires New Levels of Collaboration - Stone and Moussouris on the creation of MSVR

2008/08 : Microsoft create the Microsoft Vulnerability Research Program (MSVR).Read more

A Method for Web Security Policies draft-foudil-securitytxt-06 - Foudil and Shafranovich Draft

2019/04/08 : In this document, Foudil and Shafranovich "define a format ("security.txt") to help organizations describe the process for security researchers to follow in order to report security vulnerabilities."

Read more

Heart of Blue Gold – Announcing New Bounty Programs (Microsoft)

2013/06/19 : Microsoft decided to create new bounty program.

This artifact is part of the Microsoft Vulnerability Disclosure Bundle.Read more

How long can a Mac survive the hacker Jungle ? (on PWN to OWN contest)

2007/03/26 : Ryan Naraine writes about the PWN to OWN contest.

"At this year's CanSecWest 2007 conference in Vancouver, BC, a "PWN to OWN" contest will pit security researchers against a MacBook Pro in an experiment to see how well a default Mac OS X install can survive...Read more

Subscribe to coordinated vulnerability disclosure
Need help with PECE?
Join the PECE Slack channel