The coordinated-disclosure discipline. You walk a hypothetical disclosure timeline against a fictional vendor and produce the report-shaped artefact the vendor would actually act on. The CVE you have been reproducing is already patched, so nothing actually gets disclosed; the discipline is structural.
Reading
- CERT/CC vulnerability disclosure policy.
- The MITRE CVE Program documentation.
- A representative coordinated-disclosure report from the cohort archive (instructor will share).
- Stuttard and Pinto, WAHH, the disclosure-ethics aside in the conclusion.
Lecture
Roughly three hours across two sessions. Key arc:
- Coordinated disclosure: the contract between researcher and vendor.
- The CNA (CVE Numbering Authority) process. Why the CVE identifier matters.
- The disclosure timeline: discovery, vendor contact, vendor acknowledgement, patch, public release.
- What goes in the vendor-readable report. What does not.
- The bug-bounty register versus the coordinated-disclosure register. Why they differ.
Lab pack
Lab Pack 8 walks the disclosure timeline. See Lab Pack 8.
Tools you will use
- Your favourite Markdown editor.
- The cohort timeline template from the archive.
OWASP LLM and ASI anchor
The Module 8 lab uses the OWASP responsible-disclosure cheatsheet as the timeline-format anchor. The capstone report's disclosure section follows the same format.
Reflection prompts
- What is the difference between coordinated disclosure and full disclosure?
- What is the typical vendor acknowledgement window for a Python-ecosystem CVE?
- If a vendor does not respond within the window, what is the researcher's next move?
What is next
Module 9 packages the detector tool for publication. The Module 6 tool becomes a private-repo artefact a stranger can install and use.