Vulnerability Disclosure Process New Trends
As technology and software systems become complex and increasingly interconnected, the possibility they will comprise vulnerabilities enhances. Vulnerability make the chances for attackers to perform cybercrime or disturb user activity. Though organization taking several possible steps to determine and remediate vulnerabilities, beforehand their products and services are released to market, it is not possible to test everything. As a result, still, there is a possibility of finding the vulnerabilities in the online services and technology products either via accidental discover or intentional investigation. When any vulnerabilities are determined, a clear process for discoverers to disclose their findings to the vendors support to resolve problems without exposing severe undue risks.
What Is Vulnerability Disclosure?
It is the way of publishing details about the computer security issues and a kind of policy, which stipulates recommendation for doing so. Vulnerability disclosures can be either organization or person who finds the weakness or an accountable industry body like CERT (Computer Emergency Readiness Team). They may disclose the vulnerabilities, sometimes after informing the vendor and offering time for them to fix the issues before disclosing the details.
The major debate in the vulnerability disclosure is how much of the details to disclose and when to release it.
Key steps involved in vulnerability disclosures are:
Types Of Vulnerability Disclosure
Vulnerability disclosure can happen in three different types:
It means that discoverers find the vulnerabilities, but keep it secret without disclosing it to either vendor or public. This type is hard to quantify.
Full Disclosure Vulnerability
In this type, the discoverers find the vulnerabilities and make the entire details of those vulnerabilities available to the public with may or may not informing the vendors.
Coordinate Or Responsible Vulnerability Disclosure
Here the discoverers send the details of the vulnerabilities to the vendors with the motive of helping them to resolve the problem. After building the solution to the issues, the vendor will publish the vulnerability information to the public along with the patch solution to the issues.
This type sometimes includes the coordinator as the third party to perform the coordination process.
New Trends In Vulnerability Disclosure
Industry range vulnerability disclosure is trending up across the whole industry. Now there are plenty of resources available, which offers best practices. For instance, the NTIA (National Telecommunication and Information Administration) is an agency placed under the Commerce department has made a provisional guide called, ‘Guidelines and Practices for Multi-Party Vulnerability’ that makes a sharp, wider understanding of the overlying interests between the vendors and security researchers and stimulate increased collaboration.
In this continuous effort to support proceed this process forward, some new exemptions are issued to the DMCA (Digital Millennium Copyright Act) by the Library of Congress. These exemptions make protections for people to attack their own devices without worrying that the ban on avoiding protections by DMCA.
The act of applying openness and responsiveness in the process of disclosure or vulnerabilities has permitted public to report things, which have had life-modifying consequences.
Other trends in vulnerability disclosure are as follows:
Vulnerability Severity Trends
Not entire vulnerabilities in the software are equal. There is some difference in their severity. Now it is a trend to have the CVSS (Common Vulnerability Scoring System), a standardized scoring system for measuring the Information Technology vulnerabilities. It is a platform independent system. The base metric of CVSS allocates a score ranges from 0 to 10 as per the severity of the vulnerability. Here the higher scores like 9 and above denotes the greater severity.
Vulnerability Access Complexity Trends
Vulnerabilities can also vary as per their complexity level. Some vulnerabilities are effortless to exploit when compared to others. The complexity of vulnerability is an essential factor to focus on finding the magnitude of the issue that a vulnerability result. A high complexity vulnerability can be exploited in rare and certain circumstances might necessitate less attention over the other lower complexity vulnerability, which can be exploited frequently and easily. Here the CVSS is used to assign the complexity ranking such as High, Medium or Low.
Vulnerability Disclosure Program
These programs offer a chance for the organization to enhance cyber security by pattern into the expertise and skills of ethical hackers as well as security researchers. These programs aim to explain the engagement rules by offering restricted authorization of testing the information system of a company.
Reasons For Caution
Properly managing vulnerabilities often offer issues. Public disclosure, especially premature disclosure can shock consumers, notify competitors of vulnerabilities, stimulate government oversight and result in litigation. Furthermore, allow attackers to exploit the vulnerabilities.