vulnerability disclosure

Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so.

Vulnerability disclosure is the practice of publishing information about a computer security problem, and a type of policy that stipulates guidelines for doing so. Either the person or organization that discovers the vulnerability or a responsible industry body such as the Computer Emergency Readiness Team (CERT) may make the disclosure, sometimes after alerting the vendor and allowing them a certain amount of time to fix the problem before publishing the information.

The question of how much information to provide and when to make it public is a contentious issue. Some people argue for full and immediate disclosure, including the specific information that could be used in an exploit taking advantage of the vulnerability; others believe that limited information should be made available to a selected group after some specified amount of time has elapsed since the vulnerability was found; and still others believe that no vulnerability information should be published at all.

A number of organizations are establishing vulnerability disclosure policies. According to CERT's policy, for example, they will: inform the vendor about a vulnerability as soon as practically possible after they receive a report; advise the reporter of changes in the status of the vulnerability; and, under most circumstances, disclose the information to the public 45 days after the problem is reported, whether the vendor has dealt with the issue or not.

This was first published in September 2005

Continue Reading About vulnerability disclosure

Glossary

'vulnerability disclosure' is part of the:

View All Definitions

Dig deeper on Information Security Laws, Investigations and Ethics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close