Announcements

Center for Information Protection
UC Davis is planning to join the NSF I/UCRC Center for Information Protection. We are looking for companies to join our Industrial Advisory Board.
Find out more here!

Conferences and Workshops

• ISGIG 2009
• ACSAC 25
• PETRA 2010 (due 11/15)
• Oakland 2010 (due 11/18)

My Links

• My Home Page
• Books
• Classes
• Papers
• Reports and Notes
• Research
• Security in Programming
• Service
• Students
• Talks
• Miscellaneous
• My Family
• About Me (CV and such)

Other Links

• MyUCDavis
• Computer Security Lab
• Dept. of Computer Science
• College of Engineering
• University of California, Davis
• City of Davis
• County of Yolo
• State of California
• United States of America

This Quarter’s Classes

Office Hours for This Quarter

Contacting Me

National Infrastructure Advisory Council Vulnerability Disclosure Framework

Citation

• J. Chambers and J. Thompson, “Vulnerability Disclosure Framework: Final Report and Recommendations by the Council”, National Infrastructure Advisory Council (Jan. 2004).

Paper

• PDF
• PS

About This Report

The goal of this report is to achieve a common understanding and develop standard practices for disclosing and managing vulnerabilities in networked information systems. Over the last 20 years, businesses and governments have increased their reliance on networks, applications, and the Internet for core government and business operations. Vulnerabilities in technology vital to interconnected, critical infrastructure operations represent a threat to both national and economic security. Managing these vulnerabilities has become a critical component of customer care and protecting citizens. There are no standards or broad agreements among stakeholders regarding how, when, and to whom to disclose vulnerabilities.

The following seven recommendations are made to the President to direct appropriate Departments and Agencies involved in any aspect of managing software vulnerabilities.

• Support development of a common vulnerability management architecture, including common terms and universally compatible procedures to be employed in the public and private sectors for identifying, reporting, scoring, remediating, and resolving vulnerabilities. This includes standardized E-mail addresses for reporting and standardized Web site locations and content for sharing information effectively.
• Provide policy and funding to ensure that trusted environments are available to protect vulnerability information and ongoing investigations.
• Promote universal use of multiple compatible encryption methods to ensure the U.S. federal government can participate effectively in the global vulnerability management process.
• Conduct a regulatory framework review. The federal government should review existing federal regulations and practices in order to identify barriers to resolving software vulnerabilities.
• Support robust voluntary information sharing through policy and funding. The federal government should set up or support neutral clearinghouses for vulnerability management, accessible to researchers, the private sector, and federal agencies.
• Support a robust infrastructure for international coordination.
• Promote and fund advanced university and industry security research and education.

Background