Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so. Either the person or organization that discovers the vulnerability or a responsible industry body such as the Computer Emergency Readiness Team (CERT) may make the disclosure, sometimes after alerting the vendor and allowing them a certain amount of time to fix the problem before publishing the information.
The question of how much information to provide and when to make it public is a contentious issue. Some people argue for full and immediate disclosure, including the specific information that could be used in an exploit taking advantage of the vulnerability; others believe that limited information should be made available to a selected group after some specified amount of time has elapsed since the vulnerability was found; and still others believe that no vulnerability information should be published at all.
A number of organizations are establishing vulnerability disclosure policies. According to CERT's policy, for example, they will: inform the vendor about a vulnerability as soon as practically possible after they receive a report; advise the reporter of changes in the status of the vulnerability; and, under most circumstances, disclose the information to the public 45 days after the problem is reported, whether the vendor has dealt with the issue or not.
Continue Reading About vulnerability disclosure
'vulnerability disclosure' is part of the:
View All Definitions