Decades of vulnerability disclosure activity have highlighted the continued need for study and improvements in the area of vulnerability coordination. Historically, foundational work on best practices, policy, and process for vulnerability disclosure has focused on bi-lateral coordination between one researcher and one vendor. These practices do not adequately scale to address the complexities associated with the widespread use of open source and other third-party software, the proliferation of bug bounty programs, and complicated supply chains.
In March 2016, the U.S. National Telecommunications and Information Association, NTIA, convened a multi-stakeholder process to investigate cybersecurity vulnerabilities. One of the efforts within this process focused on multi-party coordination. In June 2016, the NTIA multi-party effort joined the similar effort underway within the FIRST Vulnerability Coordination SIG. This combined effort has produced a document that derives multi-party disclosure guidelines and practices from common coordination scenarios and variations.
The first version of the Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure was published in Summer 2017. The first revision was published in May 2020. It is available both in web and PDF format. The SIG welcomes comments at vulncoord-sig-comments@first.org.