Jan 20, 2019

Vulnerability Disclosure Tiers

Vulnerability disclosure often happens in a cascading manner - from one person who discovers it to the public Internet. While everyone agrees that vulnerabilities need to be eventually disclosed in some form, (1) content (2) audience and (3) timing (C A T) of disclosure is often a topic of contention and discontent. There is a hope that if we take out subjectivity from disclosure C A T, vulnerability disclosures can be less painful, especially for critical vulnerabilities.
Audience should be selected based on their role, and if they play by the rules of disclosure. It may not matter if they work for the same organization or not. Same individuals/teams may perform two or three roles. An incident responder may identify the audience and facilitate the flow the contents between tiers.
Vuln Disclosure Tiers

Tier 0 - incident responders, vulnerability researcher

Content: Nothing → vulnerability report, PoC (Proof of Concept)

Tier 1 - inventors, architects and designers

Content: vulnerability report, PoC → well defined problem statement, root cause, solutions, PoC

Tier 2 - implementors, developers

Content: problem, root cause, solutions, PoC → problem, root cause, solutions, PoC, fix

Tier 3 - replicators, validators, pentesters

Content: problem, root cause, solution, PoC, fix → problem, solution, fix, recurrence prevention, conformance tests, workarounds, attack vectors

Tier 4 - integrators, large could/service operators, managed products, managed on premises deployments 

Content: problem, risk, solution, fix, workarounds → feedback

Tier 5 - defenders, mitigators

Content: problem, attack vectors → problem, attack vectors, detection, prevention

Tier 6 - administrators, operators

Content: problem, risk, solution, fix, workarounds → feedback

Tier 7 - public, anyone who would not play by the rules.

Content: problem, attack vectors, risk, solution, fix, workarounds, detection, prevention.

3 comments:

fdef said...

nice

pamalafahn said...

MEGA88 - Casino - Dr.MCD
Play games like 강원도 출장샵 Mortal 상주 출장안마 Kombat, Altered Beast, 천안 출장마사지 Castlevania: Bloodlines, Space Harrier 광주광역 출장마사지 2, Contra: Hard Corps, Space Harrier titanium tubing 2, Altered Beast,

Anonymous said...

Joker Poker, often referred to as as|sometimes called} Joker Wild is a well-liked variation of Jacks or Better with the Joker performing as a Wild card. Thus, the Joker probably be} used to exchange any card in a profitable hand. The deck in this sport features 53 playing cards, which make Joker Poker less complicated and simpler to win. As we mentioned above, it is unimaginable to guarantee a win at any gambling sport. The necessary thing is to make use of technique find a way to} 1xbet scale back the house edge and to remember to have fun while taking part in}. While there’s no sure-fire method of profitable at video poker, utilizing even basic poker methods can significantly increase your edge.