Section 22.217 Vulnerability Reporting

Question 1

Vulnerability Reporting

Answer 1

Process of documenting and communicating security weaknesses in software or systems to individuals and organizations responsible for addressing the issues

■ Reports should use clear, concise, and transparent language

■ Confidentiality is crucial to prevent exploitation, reputation damage, and legal repercussions

Question 2

Internal Reporting

Answer 2

First line of defense in vulnerability management within the organization

■ Identifying, documenting, and communicating vulnerabilities within the organisational structure

■ Information remains internal

■ Timely reporting reduces exposure to unpatched vulnerabilities

■ Establish clear communication paths and protocols

Question 3

External Reporting

Answer 3

Reporting vulnerabilities outside the organization, involving vendors, partners, customers, or the public

■ Coordinating with vendors to address vulnerabilities for the benefit of all customers

■ Sharing non-sensitive details with databases like CVE or vendor knowledge bases

■ Respect privacy when discussing vulnerabilities with external organizations

Question 4

Responsible Disclosures

Answer 4

Ethical and judicious disclosure to affected stakeholders before public
announcement

■ Collaborate with the entity responsible for the vulnerability (e.g software developer)

■ Consider bug bounty programs

■ Give vendors time to address the issue before public disclosure

■ Provide detailed reports, including methods used to exploit vulnerabilities and recommended mitigations

Question 5

Importance of Confidentiality

Answer 5

Confidentiality is non-negotiable to prevent exploitation

■ Vulnerability reports are valuable maps for attackers

■ Encrypt reports and use secure storage

■ Share reports on a need-to-know basis

■ Consider executive summaries for non-technical stakeholders

■ Breaching confidentiality can lead to exploitation, reputation damage, and legal repercussions