Milestone Security Vulnerability coordination Guideline released for Public Comment
January 2017 by
The Industry Consortium for the Advancement of Security on the Internet (ICASI) applauds the FIRST Vulnerability Coordination Special Interest Group (SIG) for making available for public comment the draft Guidelines and Practices for Multi-party Vulnerability Coordination.
While ISO standards provide basic guidance on the handling of potential vulnerabilities in products, the Guidelines document is geared to consider more complex and typical real-life scenarios. Case studies start with products in the design stage with no affected users and scale to vulnerability disclosure recommendations for scenarios that require notification to multiple vendors and stakeholders at the same time. The document is targeted at Internet vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time. The paper was produced in collaboration with the National Telecommunications and Information Administration (NTIA), which also endorsed the effort.
A final draft of the report is open to public comment through January 31, 2017. Comments should be submitted by email to firstname.lastname@example.org. After the comment period is closed, the Vulnerability Coordination SIG will revise the document and publish a final version.
In an increasingly connected world reliant on Internet technology, vulnerabilities in software and hardware can put millions of people and businesses at risk. The long-term goals of ICASI’s focus around vulnerability coordination have been to facilitate efforts by multi-stakeholders to create a coordinated set of best practices and guidelines people and organizations can implement when a hardware or software vulnerability is discovered. The organization’s partnership with FIRST in this area squarely supports these aims. In addition to multi-party disclosure, the FIRST Vulnerability Coordination SIG is also addressing through future work items the related topics of bi-lateral coordination and notification.
"The Vulnerability Coordination SIG was created through a co-sponsorship between ICASI and FIRST because we felt it gave us the ability to bring together the most diverse group of stakeholders to help address the challenges of vulnerability coordination, which is a critical component of incident response," said Peter Allor, senior cyber security strategist, IBM and ICASI’s President. "As we’ve seen, the SIG drew expertise and experience from government, business, academia and others to draft the Guidelines and Practices for Multi-party Vulnerability Coordination, which we believe when final will have a truly beneficial impact on protecting critical assets.″
About the Vulnerability Coordination SIG
Formed in 2015 and co-sponsored by ICASI and FIRST, the Vulnerability Coordination SIG is a collaboration among security researchers, software and system developers, computer security incident response teams, vendors and others industry stakeholders. Among the group’s goals is to develop and publish a common set of best practices around security coordination, as well as methods for reporting and updating coordination directories.