Historically, foundational work on best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination. Factors such as a vibrant open source development community, the proliferation of bug bounty programs, third party software, supply chain vulnerabilities, and the support challenges facing CSIRTs and PSIRTs are just a few of the complicating aspects.
The Industry Consortium for Advancement of Security on the Internet, ICASI, proposed to the FIRST Board of Directors that a Special Interest Group (SIG) be considered on Vulnerability Disclosure. After holding meetings at the FIRST Conferences in Boston in June 2014, ICASI formally requested FIRST to charter a SIG to review and update vulnerability coordination guidelines.
No single entity or group of stakeholders has tried to solve this coordination challenge, as it requires a multi-faceted perspective looking at working a multi-stakeholder solution.
The Vulnerability Coordination SIG is chartered to do this.
We took the opportunity to create a community-led work group to address the challenges and opportunities related to handling these issues and develop a multi-faceted solution.
Read the full SIG charter at https://www.first.org/global/sigs/vulnerability-coordination/