The FIRST Vulnerability Coordination Special Interest Group (SIG) made available for public comment through January 31, 2017 the draft Guidelines and Practices for Multi-party Vulnerability Coordination.
Stakeholder roles and communication paths
While ISO standards provide basic guidance on the handling of potential vulnerabilities in products, the guidelines document is geared to consider more complex and typical real-life scenarios.
Case studies start with products in the design stage with no affected users and scale to vulnerability disclosure recommendations for scenarios that require notification to multiple vendors and stakeholders at the same time.
The document is targeted at Internet vulnerabilities that have the potential to affect a wide range of vendors and technologies at the same time. The paper was produced in collaboration with the National Telecommunications and Information Administration (NTIA), which also endorsed the effort.
“The Vulnerability Coordination SIG was created through a co-sponsorship between ICASI and FIRST because we felt it gave us the ability to bring together the most diverse group of stakeholders to help address the challenges of vulnerability coordination, which is a critical component of incident response,” said Peter Allor, senior cyber security strategist, IBM and ICASI’s President. “As we’ve seen, the SIG drew expertise and experience from government, business, academia and others to draft the Guidelines and Practices for Multi-party Vulnerability Coordination, which we believe when final will have a truly beneficial impact on protecting critical assets.″