Responsible disclosure is a concept—implemented by an organizational policy—that deals with two conflicting dynamics relating to software and system security issues:
- The need to give software and system makers the chance to fix problems and distribute the fixes, without letting hackers know about them before they can fix things.
- The need to let customers of the software and systems know about problems, so that they can implement workarounds and interim controls to protect their businesses and operations until the problems can be fixed.
Responsible disclosure is an organization’s policy establishing a period of time in which they will keep the problems secret and work on the corrections, prior to distributing the corrections and disclosing the existence of the problems.
It is considered irresponsible disclosure for security researchers to simply announce a discovered flaw to the general public, without giving the software makers time to identify interim controls and put corrections into place.
Vulnerability Disclosure Policies
There is a standard that defines Vulnerability Disclosure: ISO/IEC 29147:2014 Information technology — Security techniques — Vulnerability disclosure, which is available here.
Many vulnerability disclosure policy documents can be found online. Here are a few by well-known companies:
- Axis Communications: Axis Vulnerability Management Policy
- Microsoft: Microsoft Vulnerability Disclosure Policy
- Yahoo: Yahoo Vulnerability Disclosure Policy
Common Vulnerabilities and Exposures Catalog
Many organizations disclose their vulnerabilities through a catalog known as CVE, an abbreviation for the Common Vulnerabilities and Exposures system. Because there are many software security products and security researchers around that work to identify problems, and it can easily happen that multiple people discover the same problem. Thus a need arose to use standard terminology to describe the problems and document them. That is the purpose of the Common Vulnerabilities and Exposures system, commonly know simply as “CVE”. It is a catalog of known software and systems security threats. For more information see the RBCS CVE Page.