Vulnerability Remediation

Software Assurance Secure Coding Vulnerability Analysis

Historical Documents CERT Coordination Center CERT/CC Blog Dranzer Vulnerability Notes Database Vulnerability Disclosure Policy

Vulnerability Remediation

Patching or updating software is usually an effective way to remove vulnerabilities, but there are often other ways to reduce risk. We promote a comprehensive approach that includes following best practices, making configuration or architecture changes, and applying workarounds. In some cases, these strategies provide better long-term vulnerability reduction than simply patching or updating.

Remediation process

Our vulnerability remediation process involves four basic steps. However, we handle each vulnerability on a case-by-case basis, so the timeframe and cycle may vary.

Collection - We collect vulnerability reports in two ways: monitoring public sources of vulnerability information and processing reports sent directly to us. After receiving reports, we perform an initial surface analysis to eliminate duplicates and false alarms, and then catalog the reports in our database.

Analysis - Once the vulnerabilities are cataloged, we determine general severity, considering factors such as the number of affected systems, impact, and attack scenarios. Based on severity and other attributes, we select vulnerabilities for further analysis. Our analysis includes background research, runtime and static analysis, reproduction in our test facilities, and consultation with vendors and other experts.

Coordination - When handling direct reports, we work privately with vendors to address vulnerabilities before widespread public disclosure. We have established, secure communication channels with hundreds of technology producers, both directly and through relationships with computer security incident response teams (CSIRTs) all over the world. We have years of experience successfully coordinating responses to vulnerabilities that affect multiple vendors.

Disclosure - After coordinating with vendors, we take steps to notify critical audiences and the public about the vulnerabilities. To the best of our ability, we produce accurate, objective technical information focused on solutions and mitigation techniques. Targeting a technical audience (administrators and others who are responsible for securing systems), we provide sufficient information to make an informed decision about risk.

Known Vulnerabilities

Our vulnerability analysis is incorporated into some of US-CERT's documents:

New and notable vulnerabilities

Oracle Outside In Vulnerabilities

Adobe Flash Player contains unspecified execution vulnerability

Adobe Flash unspecified code execution vulnerability

Windows applications may insecurely load dynamic libraries

Vulnerability Notes Database

Report Vulnerabilities

Vulnerability reporting form
This interactive form allows you to securely report a vulnerability by entering information online. The text form is also still available.

Vulnerability disclosure policy

Other Resources

Publications

CERT/CC Blog

Securing Your Web Browser

Vulnerability Response Decision Assistance

Effectiveness of the Vulnerability Response Decision Assistance (VRDA) Framework

Podcasts

Last updated September 3, 2010