Difference between revisions of "Coordinated Vulnerability Disclosure"

From CIPedia
Jump to navigation Jump to search
(Romania)
(Netherlands)
(3 intermediate revisions by the same user not shown)
Line 15: Line 15:
 
=== National Definitions ===
 
=== National Definitions ===
 
==== [[Netherlands]] ====
 
==== [[Netherlands]] ====
 +
{{definition|Coordinated vulnerability disclosure is de praktijk van het gecoördineerd melden van aangetroffen beveiligingslekken. Hierbij worden afspraken gehanteerd die doorgaans neerkomen op dat de melder de ontdekking niet deelt met derden totdat het lek verholpen is, en de getroffen partij geen juridische stappen tegen de melder zal ondernemen. <ref>[https://www.ncsc.nl/binaries/content/documents/ncsc-nl/actueel/cybersecuritybeeld-nederland/cybersecuritybeeld-nederland-2019/1/CSBN2019.pdf Cyber Security Beeld Nederland 2019]</ref>}}Voorheen werd dit responsible disclosure genoemd.<br/><br/>
 
{{definition|Responsible disclosure (in the ICT world) is revealing ICT vulnerabilities in a responsible manner in joint consultation between discloser and organisation based on a responsible disclosure policy set by organisations. <ref>[https://www.ncsc.nl/english/current-topics/news/responsible-disclosure-guideline.html Policy for arriving at a practice for Responsible Disclosure, NCSC-NL]</ref>}}<br/>
 
{{definition|Responsible disclosure (in the ICT world) is revealing ICT vulnerabilities in a responsible manner in joint consultation between discloser and organisation based on a responsible disclosure policy set by organisations. <ref>[https://www.ncsc.nl/english/current-topics/news/responsible-disclosure-guideline.html Policy for arriving at a practice for Responsible Disclosure, NCSC-NL]</ref>}}<br/>
 +
 
==== [[Romania]] ====
 
==== [[Romania]] ====
 
{{definition|Divulgarea coordonată și responsabilă a vulnerabilităților - ”CVD” este forma de cooperare dintre Deținătorii/Producătorii de servicii, sisteme și programe informatice și Raportorii de vulnerabilități (terțe persoane care identifică și/sau raportează vulnerabilități ale serviciilor, programelor și sistemelor informatice) prin care cele două părți se coordonează în remedierea vulnerabilităților, înainte de divulgarea publică a informațiilor care ar permite comunității largi de utilizatori, producători și cercetători în securitate informatică să adopte măsurile necesare eliminării riscurilor de securitate. <ref>[https://cert.ro/pagini/CVD#_Toc483830231, CERT.RO]</ref><br/><br/>Coordinated (and/or Responsible) Vulnerability Disclosure - ”CVD” can be defined a cooperation mechanism between the Owners or Manufacturers of digital services, computer systems or software developers and the Reporters of vulnerabilities (3rd party persons and legal entities who identify and report the vulnerabilities) through which both parties coordinate their actions in patching the vulnerabilities before publishing the relevant information to the larger public, in order to allow the users, manufacturers as well as security researchers to adopt the necessary actions in order to eliminate the new security risks. <ref>[https://cert.ro/pagini/CVD Coordinated Vulnerability Disclosure, CERT.RO]</ref>}}In absence of dedicated legislation, the specific cooperation steps and methods used in CVD are primarily geared towards establishing a relationship of trust between the Owners/Manufacturers and  the Reporters of vulnerabilities. In establishing the trust a decisive role can be played by neutral third parties.<br/><br/>
 
{{definition|Divulgarea coordonată și responsabilă a vulnerabilităților - ”CVD” este forma de cooperare dintre Deținătorii/Producătorii de servicii, sisteme și programe informatice și Raportorii de vulnerabilități (terțe persoane care identifică și/sau raportează vulnerabilități ale serviciilor, programelor și sistemelor informatice) prin care cele două părți se coordonează în remedierea vulnerabilităților, înainte de divulgarea publică a informațiilor care ar permite comunității largi de utilizatori, producători și cercetători în securitate informatică să adopte măsurile necesare eliminării riscurilor de securitate. <ref>[https://cert.ro/pagini/CVD#_Toc483830231, CERT.RO]</ref><br/><br/>Coordinated (and/or Responsible) Vulnerability Disclosure - ”CVD” can be defined a cooperation mechanism between the Owners or Manufacturers of digital services, computer systems or software developers and the Reporters of vulnerabilities (3rd party persons and legal entities who identify and report the vulnerabilities) through which both parties coordinate their actions in patching the vulnerabilities before publishing the relevant information to the larger public, in order to allow the users, manufacturers as well as security researchers to adopt the necessary actions in order to eliminate the new security risks. <ref>[https://cert.ro/pagini/CVD Coordinated Vulnerability Disclosure, CERT.RO]</ref>}}In absence of dedicated legislation, the specific cooperation steps and methods used in CVD are primarily geared towards establishing a relationship of trust between the Owners/Manufacturers and  the Reporters of vulnerabilities. In establishing the trust a decisive role can be played by neutral third parties.<br/><br/>
Line 21: Line 23:
 
=== Other Definitions ===
 
=== Other Definitions ===
 
==== CIO Platform Nederland ====
 
==== CIO Platform Nederland ====
{{definition|Coordinated Vulnerability Disclosure is revealing vulnerabilities in a responsible manner in joint consultation between reporter and Organisation, based on a Coordinated Disclosure Policy set by Organisations. <ref>[https://www.cio-platform.nl/l/library/download/urn:uuid:23494658-bba3-4422-9b96-bb14fa2418af/ciopublicatie2016+ceginfosec+coordinated+vulnerability+disclosure+policy+and+procedure+-+eng+v1.0.pdf Coordinated Vulnerability Disclosure Model Policy and Procedure, A publication of the CIO Experience Group Information Security (2016)]</ref><br/>Responsible Disclosure is het op een verantwoorde wijze en in gezamenlijkheid tussen melder en organisatie openbaar maken van kwetsbaarheden op basis van een door organisaties hiervoor vastgesteld beleid voor Responsible Disclosure. <ref>[https://www.cio-platform.nl/l/en/library/download/urn:uuid:4b2d5d33-8886-4cfe-b650-33f05f763289/ciopublicatie2016+ceginfosec+responsible+disclosure+modelbeleid+en+procedure+-+nl+v1.0.pdf Responsible Disclosure Modelbeleid en Procedure Publicatie van de CIO Experience Group Information Security (2016)]</ref>}}<br />
+
{{definition|Coordinated Vulnerability Disclosure is revealing vulnerabilities in a responsible manner in joint consultation between reporter and Organisation, based on a Coordinated Disclosure Policy set by Organisations. <ref>[https://www.cio-platform.nl/l/library/download/urn:uuid:23494658-bba3-4422-9b96-bb14fa2418af/ciopublicatie2016+ceginfosec+coordinated+vulnerability+disclosure+policy+and+procedure+-+eng+v1.0.pdf Coordinated Vulnerability Disclosure Model Policy and Procedure, A publication of the CIO Experience Group Information Security (2016)]</ref><br/><br/>Responsible Disclosure is het op een verantwoorde wijze en in gezamenlijkheid tussen melder en organisatie openbaar maken van kwetsbaarheden op basis van een door organisaties hiervoor vastgesteld beleid voor Responsible Disclosure. <ref>[https://www.cio-platform.nl/l/en/library/download/urn:uuid:4b2d5d33-8886-4cfe-b650-33f05f763289/ciopublicatie2016+ceginfosec+responsible+disclosure+modelbeleid+en+procedure+-+nl+v1.0.pdf Responsible Disclosure Modelbeleid en Procedure Publicatie van de CIO Experience Group Information Security (2016)]</ref>}}<br />
  
 
<!---
 
<!---
Line 27: Line 29:
 
{{definition|Coordinated Vulnerability Disclosure (CVD) pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way. <ref>[Memorandum]</ref>}}<br />
 
{{definition|Coordinated Vulnerability Disclosure (CVD) pertains to the mechanisms by which vulnerabilities are shared and disclosed in a controlled way. <ref>[Memorandum]</ref>}}<br />
 
-->
 
-->
 +
 
==See also==
 
==See also==
 
* [[Vulnerability]]
 
* [[Vulnerability]]
Line 41: Line 44:
 
[[Category:Threat]]
 
[[Category:Threat]]
 
{{#set:defined by=Netherlands|defined by=Romania|defined by=World Bank}}
 
{{#set:defined by=Netherlands|defined by=Romania|defined by=World Bank}}
 +
{{#set: Showmainpage=Yes}}

Revision as of 18:26, 29 June 2019

Abbreviation

CVD

Definitions

International definitions

ICANN

Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter. [1]


World Bank

Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter. [2]

It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months.

National Definitions

Netherlands

Coordinated vulnerability disclosure is de praktijk van het gecoördineerd melden van aangetroffen beveiligingslekken. Hierbij worden afspraken gehanteerd die doorgaans neerkomen op dat de melder de ontdekking niet deelt met derden totdat het lek verholpen is, en de getroffen partij geen juridische stappen tegen de melder zal ondernemen. [3]

Voorheen werd dit responsible disclosure genoemd.

Responsible disclosure (in the ICT world) is revealing ICT vulnerabilities in a responsible manner in joint consultation between discloser and organisation based on a responsible disclosure policy set by organisations. [4]


Romania

Divulgarea coordonată și responsabilă a vulnerabilităților - ”CVD” este forma de cooperare dintre Deținătorii/Producătorii de servicii, sisteme și programe informatice și Raportorii de vulnerabilități (terțe persoane care identifică și/sau raportează vulnerabilități ale serviciilor, programelor și sistemelor informatice) prin care cele două părți se coordonează în remedierea vulnerabilităților, înainte de divulgarea publică a informațiilor care ar permite comunității largi de utilizatori, producători și cercetători în securitate informatică să adopte măsurile necesare eliminării riscurilor de securitate. [5]

Coordinated (and/or Responsible) Vulnerability Disclosure - ”CVD” can be defined a cooperation mechanism between the Owners or Manufacturers of digital services, computer systems or software developers and the Reporters of vulnerabilities (3rd party persons and legal entities who identify and report the vulnerabilities) through which both parties coordinate their actions in patching the vulnerabilities before publishing the relevant information to the larger public, in order to allow the users, manufacturers as well as security researchers to adopt the necessary actions in order to eliminate the new security risks. [6]

In absence of dedicated legislation, the specific cooperation steps and methods used in CVD are primarily geared towards establishing a relationship of trust between the Owners/Manufacturers and  the Reporters of vulnerabilities. In establishing the trust a decisive role can be played by neutral third parties.

Other Definitions

CIO Platform Nederland

Coordinated Vulnerability Disclosure is revealing vulnerabilities in a responsible manner in joint consultation between reporter and Organisation, based on a Coordinated Disclosure Policy set by Organisations. [7]

Responsible Disclosure is het op een verantwoorde wijze en in gezamenlijkheid tussen melder en organisatie openbaar maken van kwetsbaarheden op basis van een door organisaties hiervoor vastgesteld beleid voor Responsible Disclosure. [8]



See also

Notes