vulnerability disclosure

The question of how much information to provide and when to make it public is a contentious issue. Some people argue for full and immediate disclosure, including the specific information that could be used in an exploit taking advantage of the vulnerability; others believe that limited information should be made available to a selected group after some specified amount of time has elapsed since the vulnerability was found; and still others believe that no vulnerability information should be published at all.

A number of organizations are establishing vulnerability disclosure policies. According to CERT's policy, for example, they will: inform the vendor about a vulnerability as soon as practically possible after they receive a report; advise the reporter of changes in the status of the vulnerability; and, under most circumstances, disclose the information to the public 45 days after the problem is reported, whether the vendor has dealt with the issue or not.

Learn more about Information Security Laws, Investigations and Ethics

Cyberwar: A threat to business: This tip profiles today's international cyberterrorists, and offers ways to guard enterprise networks against those attackers who thrive on the thrill of creating corporate chaos.
Security rules to live by: Compliance with laws and regulations: An excerpt of Chapter 3: Security Rules to Live By, from David J. Lineman's Information Protection Made Easy.
Steal this Computer Book 4.0: Prevent Google hacking: An excerpt from Chapter 8: Chapter 8: Stalking the Computer of "Steal this Computer Book 4.0," by Wallace Wang.
The Oversight Function
	Ensure that legal responsibilities are clear -- Especially when trouble strikes: Excerpt from Chapter 15 of Information Nation Warrior: Information Management Compliance Boot Camp.
If he had just paid the rent: In this excerpt of Chapter 3 from "High-Tech Crimes Revealed," author Steven Branigan introduces "Wesley" and the incidents that led to a computer forensics investigation.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

More resources from around the web: - The Vulnerability Disclosure List offers a selection of related resources. - Information Security has an article called "Vulnerable Discussion." - Slashdot has a discussion on CERT and Vulnerability Disclosure.

FILE EXTENSION AND FILE FORMAT LIST File Extension and File Format List: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z #

RELATED CONTENT Melissa Hathaway urges more cooperation, government attention to cybersecurity Former acting director for cyberspace Melissa Hathaway called for public-private cooperation on cybersecurity and pressed government to develop... Cybersecurity czar candidate questions clout of new position Former U.S. Congressman Tom Davis, a leading candidate for the White House cybersecurity czar, says the job has a number of major challenges to... DHS fills National Cybersecurity Center post Former Microsoft executive Philip Reitinger will lead the DHS' cybersecurity operations, filling a post vacated by Rod Beckstrom.

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com)