Vulnerability Coordination

In CERT-FI's view software vulnerabilities pose a serious threat to the normal functioning of information society. It is self-evident that vulnerabilities need to be identified before they can be satisfactorily fixed or the threat posed by them can otherwise be mitigated. Furthermore, it has been seen that using software testing methodologies and employing security research approaches can help identify previously unknown vulnerabilities. The findings, however, need to be handled in a responsible manner as the findings may have far-reaching adverse consequences to the people's privacy, possessions and business, and they may even affect national security.

In its role as a vulnerability coordinator, CERT-FI promotes responsible handling of vulnerability information during all stages of the vulnerability lifecycle, not merely during the disclosure phase. It is not enough that the vulnerability is identified. The weaknesses that the vulnerability attributes to need to be fixed, the fixes need to be delivered to the user community and they need to be applied in order to be of value. Coordinators aim to strike a balance between the interests of the vulnerability discoverers, software vendors and integrators and the end-user community by ensuring that as many vulnerabilities as possible will eventually be fixed and the fixes will be applied.

CERT-FI uses the vulncoord@ficora.fi email address for vulnerability-related communication. The usage of PGP or SMIME encryption is preferred to protect sensitive information.

• CERT-FI Vulnerability Coordination Policy PDF (PGP signature)