National Infrastructure Advisory Council Vulnerability Disclosure Framework

Citation

• J. Chambers and J. Thompson, “Vulnerability Disclosure Framework: Final Report and Recommendations by the Council”, National Infrastructure Advisory Council (Jan. 2004).

Paper

• PDF
• PS

About This Report

From the Executive Summary:

The goal of this report is to achieve a common understanding and develop standard practices for disclosing and managing vulnerabilities in networked information systems. Over the last 20 years, businesses and governments have increased their reliance on networks, applications, and the Internet for core government and business operations. Vulnerabilities in technology vital to interconnected, critical infrastructure operations represent a threat to both national and economic security. Managing these vulnerabilities has become a critical component of customer care and protecting citizens. There are no standards or broad agreements among stakeholders regarding how, when, and to whom to disclose vulnerabilities.

The following seven recommendations are made to the President to direct appropriate Departments and Agencies involved in any aspect of managing software vulnerabilities.

• Support development of a common vulnerability management architecture, including common terms and universally compatible procedures to be employed in the public and private sectors for identifying, reporting, scoring, remediating, and resolving vulnerabilities. This includes standardized E-mail addresses for reporting and standardized Web site locations and content for sharing information effectively.
• Provide policy and funding to ensure that trusted environments are available to protect vulnerability information and ongoing investigations.
• Promote universal use of multiple compatible encryption methods to ensure the U.S. federal government can participate effectively in the global vulnerability management process.
• Conduct a regulatory framework review. The federal government should review existing federal regulations and practices in order to identify barriers to resolving software vulnerabilities.
• Support robust voluntary information sharing through policy and funding. The federal government should set up or support neutral clearinghouses for vulnerability management, accessible to researchers, the private sector, and federal agencies.
• Support a robust infrastructure for international coordination.
• Promote and fund advanced university and industry security research and education.

Background

I was invited to join the working group developing these guidelines. I couldn’t resist.