Patching or updating software is usually an effective way to remove
vulnerabilities, but there are often other ways to reduce risk. We
promote a comprehensive approach that includes following best
practices, making configuration or architecture changes, and applying
workarounds. In some cases, these strategies provide better long-term
vulnerability reduction than simply patching or updating.
Our vulnerability remediation process involves four basic
steps. However, we handle each vulnerability on a case-by-case basis,
so the timeframe and cycle may vary.
- Collection - We collect vulnerability reports in two ways:
monitoring public sources of vulnerability information and processing
reports sent directly to us. After receiving reports, we perform an
initial surface analysis to eliminate duplicates and false alarms, and
then catalog the reports in our database.
- Analysis - Once the vulnerabilities are cataloged,
we determine general severity, considering factors such as the number
of affected systems, impact, and attack scenarios. Based on severity
and other attributes, we select vulnerabilities for further
analysis. Our analysis includes background research, runtime and
static analysis, reproduction in our test facilities, and consultation
with vendors and other experts.
- Coordination - When handling direct reports, we work
privately with vendors to address vulnerabilities before widespread
public disclosure. We have established, secure communication channels
with hundreds of technology producers, both directly and through
relationships with computer security incident
response teams (CSIRTs) all over the world. We have years of
experience successfully coordinating responses to vulnerabilities that
affect multiple vendors.
- Disclosure - After coordinating with vendors, we
take steps to notify critical audiences and the public about the
vulnerabilities. To the best of our ability, we produce accurate,
objective technical information focused on solutions and mitigation
techniques. Targeting a technical audience (administrators and others
who are responsible for securing systems), we provide sufficient
information to make an informed decision about risk.
Our vulnerability analysis is incorporated into some of US-CERT's documents: