WASHINGTON, DC – Bicameral leaders today sent a letter to the CERT Coordination Center (CERT-CC) following up on concerns raised about coordinated vulnerability disclosure (CVD) practices amid the Spectre and Meltdown cybersecurity vulnerabilities.
Senate Commerce, Science, and Transportation Committee Chairman John Thune (R-S.D.) and House Energy and Commerce Committee Chairman Greg Walden (R-Ore.), today wrote to CERT-CC about the coordination of the CVD process and other issues involving imprecise language that could give both companies and users a false sense of security. The Senate Commerce Committee and House Energy and Commerce Committee initially sent letters to affected companies on the public disclosure of the Spectre and Meltdown chip vulnerabilities earlier this year.
“Failure to adequately coordinate the CVD process and provide timely notice to companies that need to test patches extensively before applying them can significantly increase the risks associated with the vulnerabilities,” wrote Thune and Walden.
The leaders continued, “CVD remains a complex and constantly evolving concept, and as should be expected from one of this size and scale, the Spectre and Meltdown CVD showed that additional improvements can and should be made.”
Click here to read the full letter to CERT-CC.
UPDATE 8/20/18: On July 26, 2018 the committees received a response from the Managing Director of CERT-CC, click here to read the full response.