Open ahouseholder opened 2 months ago
Yeh I think so.. At least a few I can see.
(my own list, independent of previous comment)
CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where “coordination” simply means “You tell us everything you know about this bug, and maybe something will happen.”
Vendors want researchers to trust them, but they aren’t taking the necessary steps to earn our trust. What’s sad is that we aren’t asking for a lot. Tell us you’ve received the report. Confirm or deny our findings. Tell us when a patch is coming. Acknowledge us appropriately (and spell our name right). And finally, once the patch is available, tell us where we can find the patch. Strangely, one of the biggest problems we have at the ZDI is just getting vendors to tell us when something is fixed.
Dustin Childs published a blog post UNCOORDINATED VULNERABILITY DISCLOSURE: THE CONTINUING ISSUES WITH CVD on July 15, 2024. Is there anything in https://www.zerodayinitiative.com/blog/2024/7/15/uncoordinated-vulnerability-disclosure-the-continuing-issues-with-cvd that would prompt us to change anything in the guide?
concerns we don't already address, expanding existing descriptions, adding or updating references, etc.