Coordinating UEFI Vulnerabilities as CERT/CC

Software Engineering Institute's CERT Coordination Center (CERT/CC) has been coordinating vulnerabilities in software since 1988 connecting security researchers and vendors towards a more Coordinated Vulnerability Disclosure (CVD) process. CERT/CC has recently been focused on handling "Systemic Vulnerabilities", under which UEFI was identified as a specific Firmware concern. UEFI vulnerabilities are critical due to their location at the intersection of hardware and software, making them fit a Systemic Vulnerability class. This talk provides an inside look at how the CERT/CC is attempting to approach the coordination of UEFI vulnerabilities and help the ecosystem. We will discuss the technical challenges of identifying these vulnerabilities, the complexities of coordinating with affected vendors, and the strategies used to communicate risks to the public. Through real-world examples, we’ll illustrate the importance of collaboration in addressing these issues and share insights on how various stakeholders can help us achieve this. Attendees will hopefully learn about the role of CERT/CC in helping organizations and provide practical steps when coordinating UEFI vulnerabilities. The aim is to assist very small to large organizations so they can benefit from our work at CERT/CC to bring transparency and CVD maturity to UEFI ecosystem.