Coalition Launches Surveys to Investigate Perspectives on Vulnerability Disclosure and Handling
As software and technology systems become more advanced and complex, their potential to contain issues that negatively impact users increases. Such issues, known as vulnerabilities, may also create opportunities for malicious attackers. Vulnerabilities are often found and addressed during the development, and prior to the market release, of software and technology systems, but testing for everything is impossible. As a result, vulnerabilities may still be found in products and online services, either through intentional investigation or accidental discovery. In both situations, a clear path for security researchers or discoverers to disclose their findings to technology developers, manufacturers, and service providers helps to resolve issues without exposing users to undue risk. A clear path is often part of a “vulnerability handling” policy, process, or program.
While much work has previously been undertaken to develop best practices for vulnerability disclosure and handling – resulting in two
The Group is investigating these issues by surveying the main stakeholder groups involved: technology providers and operators, who may receive reports about potential vulnerabilities; and security researchers, who may report potential vulnerabilities to technology providers and operators. Anonymized information will be gathered through two short (less than 10 questions each) surveys online. The resulting data will be aggregated and analyzed for a report that will be issued to the public later in 2016. Based on the findings, the report will recommend actions to increase adoption of vulnerability disclosure and handling best practices.
“Ultimately our goal is to help make everyone safer; given the trust we place in technology in every area of our lives, it’s important to understand that vulnerabilities can have a negative impact on people’s safety and identity, as well as reaching a scale of national security or economic stability,” said
“We hope that people will approach these surveys in a spirit of openness so we can understand real world perspectives and make appropriate recommendations,” said
The surveys can be accessed as follows:
Technology providers and operators: https://www.surveymonkey.com/r/techprovider
Security researchers: https://www.surveymonkey.com/r/securityresearcher
The surveys, which were developed by stakeholders, not NTIA, are live now and will be available online until
If you have any questions or would like to learn more, please email email@example.com.
Rachel AdamSenior PR Manager, Rapid7press@rapid7.com