Responsible Vulnerability Disclosure
Ranjeet Rane | Manager, Policy Research, ReBIT
Software and software-based products have vulnerabilities. Left unaddressed, these vulnerabilities pose a risk to the systems on which they are deployed as well as the people who depend on them. In order for vulnerable systems to be fixed, those vulnerabilities must first be found. Once found, they must be patched or configurations must be modified accordingly. Collaboration between technology service providers and security researchers is an important part of information security best practices. Security researchers [as well as customers, academics, journalists, and tech hobbyists] often discover vulnerabilities, and organizations both public and private, can benefit from having in place a mechanism for disclosing them and a process to work with such disclosures. Timely intervention can not only prevent technical losses but also help in averting reputational crisis.
This whitepaper discusses the different models of vulnerability disclosures presently in practice. Several case studies from different geographies, providing brief synopsis of how different countries have shaped or are in the process of shaping their responsible/coordinated vulnerability disclosure policies are discussed.