Garret Wassermann

Garret Wassermann

he/him

Software, Cybersecurity, Mathematics, Education

Coordinated Vulnerability Disclosure

1 minute read

Published:

Below is a round up of a series of blog posts I authored for the Software Engineering Institute blog describing the coordinated vulnerability disclosure (CVD) process and challenges in coordinating vulnerability responses with vendors.

SEI Blog Post: CVD Series: Principles of Coordinated Vulnerability Disclosure (Part 2 of 9) provides an overview of some important concepts for companies to consider when forming a coordinated vulnerability disclosure response and policy. (Part 1 only has a brief introduction and list of credits; Parts 3 through 9 do not appear to be published any longer.)

SEI Blog Post: Reach Out and Mail Someone shares some experience with reaching vendors about software vulnerabilities in their products; if a CVD process does not yet exist, email may not reach the right team to address the vulnerability, so I would work through the CERT/CC to send physical mail to vendors to notify them of security issues.

SEI Blog Post: How To Win Friends and Coordinate A Vulnerability is a short post announcing the creation of the “VulWiki” as an online repository for both independent security researchers and software vendors to learn more about CVD and how to professionally navigate various challenges in the process. I contributed a good amount of the initial content available on the VulWiki.

(Note: Updated 2024-07-09 to add correct links to the SEI blog.)

You May Also Enjoy

New Personal PGP Key

Published:

1 minute read

Around when I started at the CERT Coordination Center in 2014, I created a personal PGP key for secure email communications to handle vulnerability reports. With that key going on a decade old, it seemed appropriate to retire it and create a newer key. Especially since newer crypto algorithms like ECC are becoming more popular, with the older RSA (possibly?) beginning to phase out. Trail of Bits for example has a blog post arguing to stop using RSA and instead adopt ECC, in particular Ed25519, for signing keys. Read more

Rust Ecosystem Security

Published:

less than 1 minute read

Below is a round up of some of my work at the Software Engineering Institute investigating secure coding in Rust and the security of the Rust ecosystem in terms of vulnerability analysis and reverse engineering work. Read more

Malware Analysis Tools for Ghidra

Published:

1 minute read

Below is a round up of some of my work at the Software Engineering Institute with Ghidra and developing automated tools for reverse engineering and static code analysis, particularly with an eye toward malware analysis. Read more

Lost Knowledge As Libraries Go Online

Published:

4 minute read

My local library recently ended a pretty big sale; most of its books were sold for about $0.25 each. Many of the books were technical (though introductory level): programming, mathematics, sciences. But there was also a good amount of history and fiction available. I love books and snatched up a bunch, but I did so with a heavy heart at seeing so much knowledge being given up by a place of a learning – particularly when many of the shelves that used to hold books now hold DVDs. Read more