Vulnerabilities are undesirable in all facets of life. In fact, the word “vulnerable” derives from the Latin vulnus, meaning “wound.” For information technology and cybersecurity purposes, according to ISO/IEC 29147:2018 – Information Technology – Security Techniques – Vulnerability Disclosure, a vulnerability is a behavior or set of conditions present in a system, product, component, or service that “violates an implicit or explicit security policy.” In other words, it’s a weakness or exposure that permits a security consequence.
IT vulnerabilities are often more than just threats. Many vulnerable systems are prone to attack. Attackers exploit vulnerabilities to compromise confidentiality, integrity, availability, operation, or some other security property. In fact, in the first half of 2017, there were 918 data breaches. These compromised 1.9 billion records.
ISO/IEC 29147:2018 describes vulnerability disclosure, which it defines as “techniques and policies for vendors to receive vulnerability reports and publish remediation information.” Vulnerability disclosure is a critical element for supporting and maintaining any product or service exposed to threats. By helping to remedy vulnerabilities and make better-informed risk decisions, it minimizes risk, cost, and harm to all stakeholders.
ISO/IEC 29147:2018 provides vulnerability disclosure guidelines and recommendations to vendors, which enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2022 – Information Technology Security Techniques Code Of Practice For Information Security Controls.
Specifically, ISO/IEC 29147:2018 provides guidelines on receiving reports about potential vulnerabilities, guidelines on disclosing vulnerability remediation information, terms and definitions specific to vulnerability disclosure, vulnerability disclosure concepts, techniques and policy considerations associated with vulnerability disclosure, and examples of techniques, policies, and communications.
Considering these various vulnerable disclosure factors and processes is crucial, as organizations may currently rely on systems with known vulnerabilities. In many cases, personnel may not even know that vulnerabilities exist without turning to these guidelines.
ISO/IEC 29147:2018 is the second edition of the international standard for vulnerability disclosure. It updates the 2014 edition with the following changes:
- Several normative provisions have been added (these are summarized in Annex D, “Summary of normative elements”).
- Numerous organizational and editorial changes have been made for clarity.
Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111:2019 – Information Technology – Security Techniques – Vulnerability Handling Processes. To aid users who seek to establish vulnerability processes in software, hardware, and online services, this standard and ISO/IEC 29147:2018 can be acquired together as the ISO/IEC 30111 / ISO/IEC 29147 – IT Security Vulnerability Set.
ISO/IEC 29147:2018 – Information Technology – Security Techniques – Vulnerability Disclosure is available on the ANSI Webstore.