Coordinated vulnerability disclosure (CVD) begins when at least one individual becomes aware of a vulnerability, but it can’t proceed without the cooperation of many. Software supply chains, software libraries, and component vulnerabilities have evolved in complexity and have become as much a part of the CVD process as vulnerabilities in vendors’ proprietary code. Many CVD cases now require coordination across multiple vendors. In this podcast from the Carnegie Mellon University Software Engineering Institute (SEI), Allen Householder, a senior vulnerability and incident researcher in the SEI’s CERT Division, talks with principal researcher Suzanne Miller about Vultron, a protocol for multi-party coordinated vulnerability disclosure (MPCVD).