Vince: A Software Vulnerability Coordination Platform

Abstract

So, when I joined the team about three years ago, I sat down with all of the vulnerability coordinators, and I had them break down how they currently did their work. We started with just a blank whiteboard and all of the different tools and processes and workflows that they currently use in vulnerability coordination. What I realized was that in order for me to tackle any one part of that, we needed to look at the whole process and decide if we can change the way that we do our work. Eventually, the team agreed. It was a slow start. We started replacing little pieces of the tools, and then realized, You know what? Lets just scrap it all, and we are going to move to something where it is more coordinated and collaborative, and rather than us being the middleman for all of these processes. So, that is the key to VINCE, is that we are trying to bring everybody into a common room. We call it our case discussion, and we give everybody the information that we were given. Usually a reporter provides information to us about a vulnerability, and we provide that information to all of the different people that we think may be affected by that vulnerability, and we discuss that. We figure out what is the best way forward. We talk about disclosure plans. We talk about remediation plans. We talk about how we are going to disclose it to the public. We hope that everybody gets involvedthe vendors and the reporter and the coordinatorthat we all communicate and collaboratively come up with a plan for disclosing the vulnerability and giving that information to the public.

Document Details

Document Type

Technical Report

Publication Date

Jan 01, 2021

Accession Number

AD1146941

Entities

Tags