Types of Vulnerability Disclosure
Full Vendor Disclosure
The process of disclosing the vulnerability only to the vendor.
Benefits:
Vendors can focus on developing a patch. Full vendor disclosure maximizes the amount of time that the vendor has to work on a patch. Drawbacks: The vendor is not under pressure to develop a patch. As a result, reported vulnerabilities can remain unpatched for an extended time putting the public at risk. |
Immediate Public DisclosureReleasing vulnerability knowledge to the public directly after finding a software vulnerability.
Benefits:
Proponents argue that public disclosure provided a strong incentive for vendors to fix the vulnerability as soon as possible. If they do not, there is potential for nefarious hackers to exploit the vulnerability discrediting and embarrassing the vendor. Additionally, clients that use the insecure software provided by vendors may be at risk. Providing immediate disclosure allows these clients to mitigate the risk of exploitation while the vendor works on issuing a patch. Drawbacks: Critics argue that immediate public disclosure punishes companies unfairly and does not improve overall security. After public disclosure, malicious agents can use the information to exploit the vendor's software, causing unforeseeable damages. Many companies, had they been aware of the vulnerability, would have worked on a patch to protect the public. |
Hybrid Disclosure
The identifier of the vulnerability informs the vendor first and allows them a grace period before releasing the knowledge publicly.
Benefits:
Because vendors are informed of the software vulnerability prior to public disclosure, they are capable of working and releasing a patch without fear that a hacker will exploit their system. Additionally, the threat of public release creates an incentive to implement the patch. Drawbacks: Few drawbacks are associated with this method. However, some note that this process requires an intermediary who can determine an appropriate grace period for vendors. The financial overhead to fund the intermediary is a minor drawback in the grand scheme of cyber defense. |
Return to... |
Read more... |