Patching or updating software is usually an effective way to remove vulnerabilities, but there are often other ways to reduce risk. We promote a comprehensive approach that includes using the following best practices, making configuration or architecture changes, and applying workarounds. In some cases, these strategies provide better long-term vulnerability reduction than simply patching or updating.
Our Comprehensive Coordination Process
Our vulnerability coordination process involves four basic steps. However, we handle each vulnerability on a case-by-case basis, so the time frame and cycle may vary.
- Reporting. We collect vulnerability reports by monitoring public sources of vulnerability information and by processing reports sent directly to us. After receiving reports, we perform an initial surface analysis to eliminate duplicates and false alarms; we then catalog the reports in our database.
- Analysis. Once the vulnerabilities are cataloged, we determine general severity, considering factors such as the number of affected systems, impact, and attack scenarios. Based on severity and other attributes, we select vulnerabilities for further analysis. Our analysis includes background research, runtime and static analysis, reproduction in our test facilities, and consultation with vendors and other experts.
- Coordination. When handling direct reports, we work privately with vendors to address vulnerabilities before widespread public disclosure. We have established, secure communication channels with hundreds of technology producers, both directly and through relationships with computer security incident response teams (CSIRTs) all over the world. We have years of experience successfully coordinating responses to vulnerabilities that affect multiple vendors.
- Disclosure. After coordinating with vendors, we take steps to notify critical audiences and the public about the vulnerabilities. To the best of our ability, we produce accurate, objective technical information focused on solutions and mitigation techniques. Targeting a technical audience (administrators and others who are responsible for securing systems), we provide sufficient information to make an informed decision about risk.
Contact us if you want to discuss this process or if you have questions about our work.