Review ZDI blog post for suggestions: Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD

[ahouseholder]

Dustin Childs published a blog post UNCOORDINATED VULNERABILITY DISCLOSURE: THE CONTINUING ISSUES WITH CVD on July 15, 2024. Is there anything in https://www.zerodayinitiative.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd that would prompt us to change anything in the guide?

concerns we don't already address, expanding existing descriptions, adding or updating references, etc.

[sei-vsarvepalli]

Yeh I think so.. At least a few I can see.

1. Vendors having to de-duplicate reports or acknowledge multiple related vulnerability reports
2. Vendors already aware of a vulnerability (sometimes internally discovered or reported) but have it in their queue, sometimes long queue, till they see an exploit or any CVD trigger from another reporter with higher embargo.

[ahouseholder]

(my own list, independent of previous comment)

• We might expand https://certcc.github.io/CERT-Guide-to-CVD/topics/principles/avoid_surprise to address the vendor surprising the reporter with publication. Appears to be a case where an agreed embargo was cut short because the vendor terminated early, and the reporter found out via the publication rather than via communication within the case.
• What to do when disagreement on things like CVSS vector elements (Exploit Code Maturity is a point of contention in the post)
• We don't really address "one-sided coordination" directly. From the post:

CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where “coordination” simply means “You tell us everything you know about this bug, and maybe something will happen.”

• The trust inset on https://certcc.github.io/CERT-Guide-to-CVD/topics/principles/avoid_surprise/ might benefit from the following quote

Vendors want researchers to trust them, but they aren’t taking the necessary steps to earn our trust. What’s sad is that we aren’t asking for a lot. Tell us you’ve received the report. Confirm or deny our findings. Tell us when a patch is coming. Acknowledge us appropriately (and spell our name right). And finally, once the patch is available, tell us where we can find the patch. Strangely, one of the biggest problems we have at the ZDI is just getting vendors to tell us when something is fixed.

• review the CVD disputes section of https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/coordinator_reasons/ against the "who arbitrates disagreements?" section of the post
• also note that disputing CVE is not the same as disputing NVD's CVSS score, or vendor's CVSS score etc.