VulnCheck Security Researcher Patrick Garrity will present at FIRST’s 38th Annual Conference in Denver, CO.

A Researcher-Centric Approach to Coordinated Vulnerability Disclosure

June 15 at 2:40 - 3:25 p.m.

Coordinated Vulnerability Disclosure (CVD) is designed to foster collaboration between security researchers and software vendors to improve product security. In practice, however, researchers often shoulder a disproportionate burden. Challenges such as unresponsive vendors, unclear disclosure channels, time-consuming supplier identification, and inconsistent communication expectations can hinder progress. These obstacles not only slow remediation efforts but also create frustration and may discourage future reporting.

This session introduces a researcher-centric model for CVD that enables researchers to focus on their core strength: identifying vulnerabilities. Garrity will outline how security research organizations can reduce the operational and communication overhead typically placed on researchers. In this approach, vulnerabilities are first vetted by an internal research team and then coordinated directly with software vendors, eliminating the need for researchers to identify contacts, manage timelines, or handle repeated follow-ups.

The presentation will also distinguish this model from traditional bug bounty programs. It does not rely on financial incentives, competitive scoring, or reward structures. Instead, the emphasis is on improving global vulnerability reporting outcomes by reducing friction and enhancing the quality of vendor engagement.

Attendees will gain insights drawn from managing a high volume of coordinated disclosures, including what strategies are effective, what common pitfalls persist, and which patterns contribute to more responsive and scalable disclosure practices. Whether you are a researcher, vendor, or part of a PSIRT, this session offers practical guidance for making CVD more predictable, efficient, and sustainable.