Word of the Day: vulnerability disclosure

Word of the Day Daily updates on the latest technology terms |November 20, 2017

vulnerability disclosure Vulnerability disclosure is the practice of reporting security flaws in computer software or hardware. Disclosure, and how it is performed, is often a contentious issue. Generally, vendors prefer to keep a vulnerability under wraps until they have a patch ready to distribute to users. Conversely, researchers and security professionals whose data or systems are at risk, prefer that disclosures be made public as soon as possible. Typically, vendors or developers wait until a patch or other mitigation is available before making a vulnerability public; this approach is often referred to as responsible disclosure. Researchers tell the system providers about the vulnerability and provide vendors with reasonable timelines to investigate and fix them and then publicly disclose vulnerabilities once they've been patched. Although there's no formal industry standard when it comes to reporting vulnerabilities, disclosures typically follow the same basic steps: A researcher discovers a security vulnerability and determines its potential impact. The finder then documents the vulnerability's location. The researcher develops a vulnerability advisory report detailing the vulnerability with supporting evidence and provides a full disclosure timeline. The researcher then securely submits this report to the vendor. The researcher allows the vendor a reasonable amount of time to investigate and patch the vulnerability according to the advisory full disclosure timeline.   Once a patch is available, or the timeline for disclosure has elapsed, the researcher publishes a full disclosure analysis of the exploit, including a detailed explanation of the vulnerability, its impact as well as the resolution.   Typical responsible disclosure guidelines allow vendors from 60 to 120 days to patch a vulnerability. In many cases, vendors negotiate with researchers to modify the schedule to allow for more time to fix difficult flaws. In 2010, Microsoft attempted to reshape the disclosure landscape by introducing a concept called coordinated disclosure, also referred to as coordinated vulnerability disclosure (CVD). This protocol calls for researchers and vendors to work together to identify and fix the vulnerabilities and negotiate a mutually agreeable amount of time for patching the product and informing the public. Read more... Quote of the Day "It is a flawed argument to claim that vulnerability review and disclosure by the government can keep enterprises safe, because it assumes vulnerabilities are finite, and if we can simply fix all the vulnerabilities, we will be secure." - J.J. Guy   Trending Terms CERT vulnerability scanner vulnerability analysis Google Project Zero pen testing hardware vulnerability   Learning Center Federal vulnerability review under new VEP still has questions Experts debate if the federal vulnerability review processes could improve under the updated Vulnerabilities Equities Process Charter. Responsible vulnerability disclosure lacking by CIA and WikiLeaks The CIA and WikiLeaks are being questioned over a lack of responsible vulnerability disclosure in the aftermath of the Vault 7 document release. Getting to the bottom of the software vulnerability disclosure debate Michael Cobb weighs in on the software vulnerability disclosure debate and discusses responsible disclosure periods and how they affect enterprises. Risk & Repeat: Critical Windows bug triggers disclosure debate This Risk & Repeat podcast examines the questions raised by a security researcher's tweet about a dangerous, undisclosed Windows bug. The right approach for a security vulnerability disclosure policy At RSA Conference 2015, Qualys' Wolfgang Kandek discussed responsible vulnerability disclosure policy and the recent spat between Google and Microsoft. Writing for Business Most major security breaches ____________ human error. a. can be attributed to b. are due to Answer   Stay In Touch For feedback about any of our definitions or to suggest a new definition, please contact me at: mrouse@techtarget.com   Visit the Word of the Day Archives and catch up on what you've missed!   FOLLOW US About This E-Newsletter This e-newsletter is published by the TechTarget network. To unsubscribe from Whatis.com, click here. Please note, this will not affect any other subscriptions you have signed up for. TechTarget, Whatis, 275 Grove Street, Newton, MA 02466. Contact: webmaster@techtarget.com Copyright 2016 TechTarget. All rights reserved.