Uncoordinated Vulnerability Di... Note

Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD

Microsoft released a patch for CVE-2024-38112, which was being exploited in the wild. Trend Micro Zero Day Initiative (ZDI) reported the exploit to Microsoft in May, but was not acknowledged in the patch release. This highlights the lack of transparency and coordination in coordinated vulnerability disclosure (CVD). Researchers often face communication issues when reporting bugs, such as not receiving confirmation or acknowledgment from vendors. Microsoft's Secure Future Initiative has not resulted in improved transparency. Vendors need to take steps to earn researcher trust, such as providing clear communication, appropriate acknowledgment, and accurate patch information. ZDI helps researchers handle communications with vendors, but disputes over fix severity and CVSS ratings can still arise. Researchers may resort to public disclosure if they feel their reports are not being addressed adequately. Despite the concept of CVD, many vendors do not fully embrace the responsibility to coordinate with researchers. The Cyber Safety Review Board and ProPublica have highlighted Microsoft's communication failures, emphasizing the need for accountability in the industry. ZDI's Vanguard Awards will recognize vendors who demonstrate excellence in CVD. The lack of coordination in CVD not only affects vendor-researcher relationships but also end users' ability to assess risk and trust in security patches.