ISO vulnerability disclosure standard now free

By on
ISO vulnerability disclosure standard now free
ISO/IEC 29147 vulnerability information exchange schematic. Source: ISO

Guide for how to handle vulnerability reports.

An International Standards Organisation and International Electrotechnical Commission document that helps organisations handle responsible vulnerability disclosures is now free to access.

The ISO/IEC 29147 document sets out how hardware and software vendors, and other organisations that provide applications such as financial institutions and governments, can integrate vulnerability disclosure management into their normal business processes. 

Until this weekend, ISO charged 138 Swiss Francs (A$185) for the 29147 standards document.

Last week, the global standards organisation approved a request from Luta Security researcher Kate Moussouris and Art Manion of the US CERT Coordination Centre (CERT/CC) to offer ISO/IEC 29147 at no cost.

"The rationale was that making it available for free would help drive adoption of not only the vulnerability disclosure standard, but also the related standard on vulnerability handling processes, ISO 30111," Moussouris said.

The two have worked as co-editors of the standard since after the free version was published, and have helped edit it since around 2008.

First proposed in 2005, and published in final form last February, the ISO standard is aimed at advising organisations on how to respond to security vulnerability reports. 

This includes how to receive vulnerability reports from researchers, and how to process them so as to potentially create fixes for the flaws.

If a fix or remediation for the vulnerability is created, the standard also guides organisations on how to communicate it to affected customers.

"Inappropriate disclosure of a vulnerability could not only delay the deployment of the vulnerability resolution, but also give attackers hints to exploit it," the standards paper states.

ISO/IEC 29147 interfaces with the ISO/IEC 3011 vulnerability handling process standard. The latter provides guidelines on how to process and resolve potential vulnerability information.

The ISO/IEC 29147 document can be downloaded as a ZIP archive with a PDF file.

Copyright © . All rights reserved.

Most Read Articles

Log In

|  Forgot your password?