coordinated vulnerability disclosure

A File Format to Aid in Security Vulnerability Disclosure (Security.txt)

2017/09 : "When security vulnerabilities are discovered by researchers, proper reporting channels are often lacking. As a result, vulnerabilities may be left unreported. This document defines a machine-parsable format ("security.txt") to help organizations describe their vulnerability disclosure...Read more

FIRST updates guidelines for multi-party vulnerability disclosure (Haworth Paper)

2020/05/18 : Jessica Haworth writes on FIRST updates guidelines for multi-party vulnerability disclosure.

This artifact is part of the FIRST Vulnerability Disclosure Bundle.Read more

Threat Complexity Requires New Levels of Collaboration - Stone and Moussouris on the creation of MSVR

2008/08 : Microsoft create the Microsoft Vulnerability Research Program (MSVR).Read more

Announcing Coordinated Vulnerability Disclosure (Microsoft)

2010/07/22 : "Today on the MSRC [Microsoft Security Response Center] blog, Matt Thomlinson, General Manager of Trustworthy Computing Security, announced our new philosophy on Coordinated Vulnerability Disclosure."

This artifact is part of the ...Read more

THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS (Granick Article)

2005 : "Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an ...Read more

FIRST Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure

2017 : FIRST release their Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure.
"The purpose of this document is to assist in improving multi-party vulnerability coordination across different stakeholder communities."

This artifact is...Read more

Microsoft Vulnerability Research Advisories

https://web.archive.org/web/20110425041124/http://www.microsoft.com/technet/secu…
iDEFENSE Labs Website Launch

2005/02/17 : iDEFENSE Labs announces the launch of their community site.

"This site will serve as our repository for sharing our research and development with the security community, including the release of free ...Read more

Google Project Zero

2015/02/13 : "Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a...Read more

Microsoft Says No to Paying Bug Bounties (Fisher paper)

2010/07/22 : "Microsoft has no plans to follow in the footsteps of Mozilla and Google and pay researchers cash rewards for the bugs that they find in Microsoft’s products."

This artifact is part of the ...Read more

Geer Keynote

Geer Keynote at Black Hat 2014 - Cybersecurity as Realpolitik
Black Hat 2014 Keynote: Cybersecurity as Realpolitik (on Geer Keynote)
Geer Keynote at Black Hat 2014 - Cybersecurity as Realpolitik (transcription)
No more free bugs for software vendors (Fisher paper)

2009/03/23 : Dennis Fisher highlights the end of free vulnerability disclosure.

"It appears that the free ride is over for software vendors."Read more

Subscribe to coordinated vulnerability disclosure
Need help with PECE?
Join the PECE Slack channel