Responsible Vulnerability Disclosure

EXECUTIVE SUMMARY

Software and software-based products have vulnerabilities. Left unaddressed, these vulnerabilities pose a risk to the systems on which they are deployed as well as the people who depend on them. In order for vulnerable systems to be fixed, those vulnerabilities must first be found. Once found, they must be patched or configurations must be modified accordingly. Collaboration between technology service providers and security researchers is an important part of information security best practices. Security researchers [as well as customers, academics, journalists, and tech hobbyists] often discover vulnerabilities, and organizations both public and private, can benefit from having in place a mechanism for disclosing them and a process to work with such disclosures. Timely intervention can not only prevent technical losses but also help in averting reputational crisis.

This whitepaper discusses the different models of vulnerability disclosures presently in practice. Several case studies from different geographies, providing brief synopsis of how different countries have shaped or are in the process of shaping their responsible/coordinated vulnerability disclosure policies are discussed.

This white paper can be cited as: Ranjeet Rane, "Responsible Vulnerability Disclosure", Reserve Bank Information Technology Pvt. Ltd. (2018) www.rebit.org.in