This module is a resource for lecturers

Vulnerability disclosure

Information security and cybersecurity have been used interchangeably - albeit incorrectly (von Solms and van Niekerk, 2013). While there is no agreed upon definition of information security, the definition included in ISO/IEC 27002 has been widely used. ISO/IEC 27002 defines information security as the "preservation of [the] confidentiality, integrity and availability of information." Like information security, there is no universal definition of cybersecurity. According to the International Telecommunications Union (ITU), "[c]ybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user's assets against relevant security risks in the cyber environment" (ITU-T X.1205). Cybersecurity thus not only protects cyberspace, "but also … protect[s]... those … [who] function in cyberspace and any of their assets that can be reached via cyberspace" (von Solms and van Niekerk, 2013, p. 101).

Did you know?

ISO/IEC 27002 contains 14 information security controls areas, as well as implementation guidance and requirements for each of these controls. These areas are: information security policies; organization of information security; human resource security; asset management; access control; cryptography; physical and environmental security; operations security; communications security; system acquisition, development, and maintenance; supplier relationships; information security incident management; information security aspects of business continuity management; and compliance.

Want to learn more?

For more information about these controls, see ISO/IEC 27002.

Information security and cybersecurity are shaped by vulnerability disclosures. When vulnerabilities are discovered by researchers and professionals in the field, they can either be fully disclosed or responsibly disclosed (Trull, 2015). Full disclosure involves publishing the software or hardware vulnerabilities online (e.g., on a website) before a fix is available (Trull, 2015). In contrast, responsible disclosure refers to the practice of not disclosing the vulnerability until the organization responsible for the hardware or software deals fixes the vulnerability (Trull, 2015). For responsible disclosure, the researcher or professional contacts the affected organization, and waits until the organization releases a fix for the identified vulnerability. After a fix is released, the researcher or professional can officially disclose information about the vulnerability and receive credit for this identification. Utilizing this method of disclosure, the researcher or professional may ask for what is known as a Common Vulnerabilities and Exposure ( CVE) identifier. The CVE, a list of common identifiers for publicly known cybersecurity vulnerabilities" (CVE, n.d.), is used to track vulnerabilities across major pieces of software, as well as those who find such vulnerabilities. In addition to full and responsible disclosure, the researcher or professional may choose not to disclose the vulnerability (Cencini, Yu, & Chan, 2005). A further method of disclosure is coordinated vulnerability disclosure (CVD), which refers to "the process of gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigation to various stakeholders, including the public" (Householder, Wassermann, Manion, and King, 2017).

Best practice guidelines are available for vulnerability disclosures and the handling of vulnerabilities. Cases in point are the best practice guidelines developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) (for more information about these organizations, see Cybercrime Module 4 on Introduction to Digital Forensics) on vulnerability disclosure ( ISO/IEC 29147) and vulnerability handling processes ( ISO/IEC 30111).

Next: Cybersecurity measures and usability
Back to top