Difference between revisions of "Coordinated Vulnerability Disclosure"
(→Notes) |
(→Definitions) |
||
Line 2: | Line 2: | ||
CVD | CVD | ||
==Definitions== | ==Definitions== | ||
− | + | ===[[ENISA]]=== | |
− | ===[[ | + | {{definition|CVD state of play in the EU <ref>[https://www.enisa.europa.eu/publications/coordinated-vulnerability-disclosure-policies-in-the-eu ENISA report on Coordinated Vulnerability Disclosure in Europe (2022)]</ref>}}<br/><br/> |
− | {{definition| | + | |
− | |||
=== International definitions === | === International definitions === | ||
==== ICANN ==== | ==== ICANN ==== | ||
Line 14: | Line 13: | ||
=== National Definitions === | === National Definitions === | ||
+ | ==== [[France]] ==== | ||
+ | {{definition|CVD: If a researcher reports a suspected vulnerability to the Agence nationale de la sécurité des systèmes d’information (ANSSI)18, Art. 47 of the Law for a Digital Republic exempts the researcher (‘goodwill person’) who reports the vulnerability from the provisions contained in Art. 40. The agency must also protect the confidentiality of the identity of the researcher who reports the vulnerability. <ref>[https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000033206854 the French law -art 40 & 47]</ref>}}<br> | ||
==== [[Netherlands]] ==== | ==== [[Netherlands]] ==== | ||
{{definition|Coordinated vulnerability disclosure is de praktijk van het gecoördineerd melden van aangetroffen beveiligingslekken. Hierbij worden afspraken gehanteerd die doorgaans neerkomen op dat de melder de ontdekking niet deelt met derden totdat het lek verholpen is, en de getroffen partij geen juridische stappen tegen de melder zal ondernemen. <ref>[https://www.ncsc.nl/binaries/content/documents/ncsc-nl/actueel/cybersecuritybeeld-nederland/cybersecuritybeeld-nederland-2019/1/CSBN2019.pdf Cyber Security Beeld Nederland 2019]</ref>}}Voorheen werd dit responsible disclosure genoemd.<br/><br/> | {{definition|Coordinated vulnerability disclosure is de praktijk van het gecoördineerd melden van aangetroffen beveiligingslekken. Hierbij worden afspraken gehanteerd die doorgaans neerkomen op dat de melder de ontdekking niet deelt met derden totdat het lek verholpen is, en de getroffen partij geen juridische stappen tegen de melder zal ondernemen. <ref>[https://www.ncsc.nl/binaries/content/documents/ncsc-nl/actueel/cybersecuritybeeld-nederland/cybersecuritybeeld-nederland-2019/1/CSBN2019.pdf Cyber Security Beeld Nederland 2019]</ref>}}Voorheen werd dit responsible disclosure genoemd.<br/><br/> |
Revision as of 17:45, 15 August 2022
Contents
Abbreviation
CVD
Definitions
ENISA
International definitions
ICANN
World Bank
It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months.
National Definitions
France
Netherlands
Voorheen werd dit responsible disclosure genoemd.
Romania
Coordinated (and/or Responsible) Vulnerability Disclosure - ”CVD” can be defined a cooperation mechanism between the Owners or Manufacturers of digital services, computer systems or software developers and the Reporters of vulnerabilities (3rd party persons and legal entities who identify and report the vulnerabilities) through which both parties coordinate their actions in patching the vulnerabilities before publishing the relevant information to the larger public, in order to allow the users, manufacturers as well as security researchers to adopt the necessary actions in order to eliminate the new security risks. [8]
In absence of dedicated legislation, the specific cooperation steps and methods used in CVD are primarily geared towards establishing a relationship of trust between the Owners/Manufacturers and the Reporters of vulnerabilities. In establishing the trust a decisive role can be played by neutral third parties.
Other Definitions
CIO Platform Nederland
Responsible Disclosure is het op een verantwoorde wijze en in gezamenlijkheid tussen melder en organisatie openbaar maken van kwetsbaarheden op basis van een door organisaties hiervoor vastgesteld beleid voor Responsible Disclosure. [10]
See also
Notes
References
- ↑ ENISA report on Coordinated Vulnerability Disclosure in Europe (2022)
- ↑ Coordinated Vulnerability Disclosure Reporting at ICANN (2013)
- ↑ Cyber Security Glossary, World Bank (2015)
- ↑ the French law -art 40 & 47
- ↑ Cyber Security Beeld Nederland 2019
- ↑ Policy for arriving at a practice for Responsible Disclosure, NCSC-NL
- ↑ CERT.RO
- ↑ Coordinated Vulnerability Disclosure, CERT.RO
- ↑ Coordinated Vulnerability Disclosure Model Policy and Procedure, A publication of the CIO Experience Group Information Security (2016)
- ↑ Responsible Disclosure Modelbeleid en Procedure Publicatie van de CIO Experience Group Information Security (2016)