Difference between revisions of "Coordinated Vulnerability Disclosure"

From CIPedia
Jump to navigation Jump to search
Line 10: Line 10:
 
{{definition|Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter. <ref>[https://www.icann.org/en/system/files/files/vulnerability-disclosure-11mar13-en.pdf Coordinated Vulnerability Disclosure Reporting at ICANN (2013)]</ref>}}<br/>
 
{{definition|Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter. <ref>[https://www.icann.org/en/system/files/files/vulnerability-disclosure-11mar13-en.pdf Coordinated Vulnerability Disclosure Reporting at ICANN (2013)]</ref>}}<br/>
  
==== World Bank ====
+
==== [[World Bank]] ====
 
{{definition|Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter.  <ref>[https://collaboration.worldbank.org/servlet/JiveServlet/downloadBody/18791-102-1-24249/Glossary%20of%20terms.docx Cyber Security Glossary, World Bank (2015)]</ref>}}It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months. <br/>
 
{{definition|Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter.  <ref>[https://collaboration.worldbank.org/servlet/JiveServlet/downloadBody/18791-102-1-24249/Glossary%20of%20terms.docx Cyber Security Glossary, World Bank (2015)]</ref>}}It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months. <br/>
  

Revision as of 21:46, 28 August 2017

Abbreviation

CVD

Definitions

International definitions

ICANN

Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter. [1]


World Bank

Coordinated Vulnerability Disclosure refers to a reporting methodology where a party (reporter) privately discloses information relating to a discovered vulnerability to a product vendor or service provider (affected party) and allows the affected party time to investigate the claim, and identify and test a remedy or resource before coordinating the release of a public disclosure of the vulnerability with the reporter. [2]

It is like full disclosure, with the addition that all stakeholders agree to allow a period of time for the vulnerability to be patched before publishing the details. Developers of hardware and software often require time and resources to repair their mistakes. Hackers and computer security scientists have the opinion that it is their social responsibility to make the public aware of vulnerabilities with a high impact. Hiding these problems could cause a feeling of false security. To avoid this, the involved parties join forces and agree on a period of time for repairing the vulnerability and preventing any future damage. Depending on the potential impact of the vulnerability, this period may vary between a few weeks and several months.

National Definitions

Netherlands

Responsible disclosure (in the ICT world) is revealing ICT vulnerabilities in a responsible manner in joint consultation between discloser and organisation based on a responsible disclosure policy set by organisations. [3]


Other Definitions

CIO Platform Nederland

Coordinated Vulnerability Disclosure is revealing vulnerabilities in a responsible manner in joint consultation between reporter and Organisation, based on a Coordinated Disclosure Policy set by Organisations. [4]
Responsible Disclosure is het op een verantwoorde wijze en in gezamenlijkheid tussen melder en organisatie openbaar maken van kwetsbaarheden op basis van een door organisaties hiervoor vastgesteld beleid voor Responsible Disclosure. [5]


See also

Notes