234 Core Software Security
the discoverers will not be given credit in the public disclosure by the
company and the case will be treated as a “zero day,” no-notice discovery
that has been reported publically by an external source. In the case of a
zero-day discovery, the PSIRT and development teams work together to
remediate the vulnerability as soon as possible, according to the severity of
the Common Vulnerability Scoring System (CVSS) (http://nvd.nist.gov/
cvss.cfm) scoring for the particular vulnerability. In the case of a zero-day,
highly scored vulnerability, the company PR team will work closely with
the PSIRT to manage potential negative press and customer reaction.
During the investigation of a reported vulnerability, the PSIRT coordi-
nates and manages all sensitive information on a highly confidential basis.
Internal distribution is limited to those individuals who have a legitimate
need to know and can actively assist in resolution of the vulnerability.
The PSIRT will also work with third-party coordination centers such
as the CERT Coordination Center (CERT/CC) (http://www.cert.org/
certcc.html), and others to manage a coordinated industry disclosure for
reported vulnerabilities affecting the software products they are respon-
sible for. In some cases, multiple vendors will be affected and will be
involved in the coordinated response with centers such as CERT. If a
coordination center is involved, then, depending on the circumstances,
the PSIRT may contact the center on the behalf of the discoverers, or
assist them in doing it themselves.
If a third-party component of the product is affected, this will compli-
cate the remediation process because the PSIRT will be dependent on a
third party for remediation. A further complication is that the PSIRT will
have to coordinate and in many cases notify the vendor directly to ensure
coordination with the third-party coordination center and likely direct
involvement with the discoverer. Even though a third-party component
has been used, the assumption is that the owner of the primary soft-
ware product is ultimately responsible for all components of the software,
whether they own them or not.
As mentioned above, PSIRTs generally use the CVSS to assess the
severity of a vulnerability as part of their standard process for evaluat-
ing reported potential vulnerabilities in their products and determining
which vulnerabilities warrant external and internal reporting.
The CVSS model uses three distinct measurements or scores that
include base, temporal, and environmental calculations, and the sum of
all three scores should be considered the final CVSS score. This score
represents a single moment in time; it is tailored to a specific environment