_
Index |
Vulnerability Ecosystem |
Vulnerability Lifecycle |
Risk Exposure |
Disclosure |
SIP |
Dynamics of (In)security |
News:
Bookmark Page
.
Bookmark Page
Vulnerability Public Disclosure
Public Disclosure
The time of disclosure of a vulnerability is defined differently in the security community and industry. It is most commonly referred to as a kind of public disclosure of security information by a certain party. Usually, vulnerability information is discussed on a mailing list or published on a security web site and results in a security advisory afterwards. To ensure the quality and availability of relevant security information, we propose a more strict definition of the disclosure time.Definition: Disclosure Date
The time of disclosure is the first date a security vulnerability is described on a channel where the disclosed information on the vulnerability has to fulfil the following requirements:- the information is freely available to the public
- the vulnerability information is published by a trusted and independent channel/source
- the vulnerability has undergone analysis by experts such that risk rating information is included upon disclosure
Requirement 1
- From the security perspective, only a free and public disclosure can ensure that all interested or concerned parties get the relevant information. Security through obscurity is a concept that has never worked: "The argument that secrecy is good for security is naive, and always worth rebutting. Secrecy is beneficial to security only in limited circumstances, and certainly not with respect to vulnerability or reliability information" [Bruce Schneier].
Requirement 2
- Only an channel independent of a vendor or government is unbiased and enables a fair dissemination of security critical information. A channel is considered trusted only when it is an accepted source of security information in the industry (e.g. by having a delivered security information reliably over a long period of time).
Requirement 3
- Analysis and risk rating ensures the quality of the information disclosed. The mere discussion on a potential flaw in a mailing list or vague information from a vendor do therefore not qualify. The analysis must include enough details to allow a concerned user of the software to assess his individual risk or take immediate action to protect his assets. In our research, to provide the data for the disclosure time of vulnerabilities, we analyzed security advisories of the following candidate sources: CERT, FrSirt, IBM ISS X-Force, Secunia, and SecurityFocus.