Sometimes in our daily job we find unknown vulnerabilities from public databases like Securityfocus BugTraq (BID). This means that, if found by someone else, these vulnerabilites can be used with malicious intent.
When a new vulnerability is found the researcher has four options:
- Do nothing
- Full disclosure:
- Report to the black/gray market (to get money)
- Responsible disclosure (aka coordinated vulnerability disclosure aka CVD)
First option is the easiest one for the researcher: no additional work. Second option is quite easy too and very interesting for the security community as everyone can directly use/patch the vulnerabilities straightaway. Unfortunately, this way bad guys are aware of the vulnerabilities too and can exploit them straightaway too. Third option is interesting for the researchers to get money but unfortunately the vendors don’t always get the information quickly so the software remains vulnerable longer. Last option is interesting for everybody: researchers, vendors and clients. The vulnerabilities are reported to the vendors and when an update is released the vendors may acknowledge the researcher in the advisories.
As we try to protect our clients, vendors and users of affected products at the same time, we prefer the last option (responsible disclosure) which is described this way by CERT/CC:
When a vulnerability is found by a reporter, the reporter informs the vendor and suggests a timeline for disclosure. The amount of time varies greatly based on the organization. The vendor and reporter typically work together to provide a simultaneous public disclosure after a patch is ready. The disclosure may be Limited Disclosure or Full Disclosure after the timeline has expired. In cases where the vendor and reporter do not agree on a timeline, or the vendor is unresponsive, the reporter may publish anyway at the end of the original proposed timeline.