1、BSI Standards PublicationBS ISO/IEC 29147:2014Information technology Security techniques Vulnerability disclosureCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS IS
2、O/IEC 29147:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC29147:2014.The UK participation in its preparation was entrusted to TechnicalCommittee IST/33, IT - Security techniques.A list of organizations represented on this committee can beobtained on r
3、equest to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 68096 0ICS 35.040Compliance with a British St
4、andard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedCopyright British Standards Institution Provided by IHS under license wit
5、h BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2014Information technology Security techniques Vulnerability disclosureTechnologies de linformation Techniques de scurit Divulgation de vulnrabilit ISO/IEC 2014INTERNATIONAL
6、STANDARDISO/IEC29147First edition2014-02-15Reference numberISO/IEC 29147:2014(E)Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2014ISO/IEC 29147:201
7、4(E)ii ISO/IEC 2014 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO/IEC 2014All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the intern
8、et or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso
9、.orgPublished in SwitzerlandCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2014ISO/IEC 29147:2014(E) ISO/IEC 2014 All rights reserved iiiContents Pa
10、geForeword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Abbreviated terms 25 Concepts 35.1 General . 35.2 Interface between ISO/IEC 29147: Vulnerability disclosure and ISO/IEC 30111: Vulnerability handling processes 35.3 Products and online services 55.4 Stakeholde
11、rs 65.5 Vulnerability disclosure process summary 75.6 Information exchange during vulnerability disclosure 85.7 Confidentiality of exchanged information . 95.8 Vulnerability advisories 95.9 Vulnerability exploitation 96 Vulnerability disclosure policy considerations .106.1 General 106.2 Minimum poli
12、cy aspects 106.3 Optional policy aspects . 117 Receipt of vulnerability information 127.1 General 127.2 Potential vulnerability report and its secure receiving model .127.3 Acknowledgement of receipt from finder or a coordinator 127.4 Tracking incoming reports 127.5 On-going communication with finde
13、r 127.6 Detailed information . 127.7 Support from coordinators 138 Possible vulnerability reporting among vendors .138.1 General 138.2 Typical cases calling for vulnerability reporting among vendors 138.3 Reporting of vulnerability information to other vendors .139 Dissemination of advisory .149.1 G
14、eneral 149.2 Purpose of advisory . 149.3 Consideration in advisory disclosure . 149.4 Timing of advisory release . 149.5 Contents of advisory 159.6 Advisory communication 169.7 Advisory formats 179.8 Advisory authenticity . 17Annex A (informative) Details for handling vulnerability/advisory informat
15、ion .18Annex B (informative) Sample policies, advisories, and global coordinators 26Bibliography .34Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2
16、014ISO/IEC 29147:2014(E)ForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International S
17、tandards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO
18、and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committe
19、e is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the p
20、ossibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 29147 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Se
21、curity techniques.iv ISO/IEC 2014 All rights reservedCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2014ISO/IEC 29147:2014(E)IntroductionA vulnerabi
22、lity is a weakness of software, hardware, or online service that can be exploited. An exploitation of vulnerabilities results in a disruption of the confidentiality, integrity, or availability of the ICT system or related information assets, which may cause a breach of data privacy, interruption of
23、operation of mission critical systems, and so on.Vulnerabilities can be caused by both software or hardware design and programming flaws. Poor administrative processes and a lack of user awareness and education can also be a source of vulnerabilities, as can unforeseen changes in operating environme
24、nts. Regardless of the cause, an exploitation of such vulnerabilities may result in real threats to mission-critical information systems. Individuals and organizations, including businesses and governments, rely heavily on hardware and software components used in operating systems, applications, net
25、works, and critical national infrastructure. Vulnerabilities in these components increase risk to the information residing on them, thus increasing risks to users and owners of the information. In addition, the lack of awareness about these vulnerabilities also increases risk.Inappropriate disclosur
26、e of a vulnerability could not only delay the deployment of the vulnerability resolution but also give attackers hints to exploit it. That is why vulnerability disclosure should be carried out appropriately.Vulnerability disclosure is a process through which vendors and vulnerability finders may wor
27、k cooperatively in finding solutions that reduce the risks associated with a vulnerability. It encompasses actions such as reporting, coordinating, and publishing information about a vulnerability and its resolution.The goals of vulnerability disclosure include the following:a) ensuring that identif
28、ied vulnerabilities are addressed;b) minimizing the risk from vulnerabilities;c) providing users with sufficient information to evaluate risks from vulnerabilities to their systems; d) setting expectations to promote positive communication and coordination among involved parties.This International S
29、tandard provides guidelines for vendors to be included in their business processes when receiving information about potential vulnerabilities and distributing vulnerability resolution information. ISO/IEC 2014 All rights reserved vCopyright British Standards Institution Provided by IHS under license
30、 with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2014Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without licen
31、se from IHS-,-,-BS ISO/IEC 29147:2014Information technology Security techniques Vulnerability disclosure1 ScopeThis International Standard gives guidelines for the disclosure of potential vulnerabilities in products and online services. This International Standard details the methods a vendor should
32、 use to address issues related to vulnerability disclosure. This International Standarda) provides guidelines for vendors on how to receive information about potential vulnerabilities in their products or online services,b) provides guidelines for vendors on how to disseminate resolution information
33、 about vulnerabilities in their products or online services,c) provides the information items that should be produced through the implementation of a vendors vulnerability disclosure process, andd) provides examples of content that should be included in the information items.This International Stand
34、ard is applicable to vendors who respond to external reports of vulnerabilities in their products or online services.2 Normative referencesThe following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For dated references, only t
35、he edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) appliesISO/IEC 27000:2012, Information technology Security techniques Information security management systems Overview and vocabularyISO/IEC 30111, Information technology Securi
36、ty techniques Vulnerability handling processes3 Terms and definitionsFor the purposes of this document, the terms and definitions in ISO/IEC 27000 and the following apply.3.1advisoryannouncement or bulletin that serves to inform, advise, and warn about a vulnerability of a productNote 1 to entry: An
37、 advisory may include advice on how to deal with the vulnerability. An advisory typically contains a description of the vulnerability at a specific point in time. An advisory can include a list of vulnerable products or services, potential impact, resolution and mitigation information, and reference
38、s. Such items included in the advisory are relevant at the time the advisory is published and may evolve over time. An advisory may be published by a vendor, finder, or coordinator and may be revised if more information becomes available.3.2coordinatoroptional participant that can assist vendors and
39、 finders in handling and disclosing vulnerability informationNote 1 to entry: A coordinator can act as a trusted liaison between involved parties (vendors and finders), enabling positive communication between them.INTERNATIONAL STANDARD ISO/IEC 29147:2014(E) ISO/IEC 2014 All rights reserved 1Copyrig
40、ht British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2014ISO/IEC 29147:2014(E)3.3finderindividual or organization that identifies a potential vulnerability in a
41、product or online serviceNote 1 to entry: Finders can be researchers, security companies, users, governments, or coordinators.3.4online servicesservice which is implemented by hardware, software, or a combination of them and provided over a communication line or networkNote 1 to entry: The vendor of
42、 an online service may also be referred to as a service provider. Online services are similar to products in that both are primarily software systems. Two main distinctions are that a service often appears to users as a single instance of software and that users do not install, manage, or deploy the
43、 software, but they only use the service.3.5productsystem implemented or developed for sale or to be offered for free3.6remediationpatch, fix, upgrade, configuration, or documentation change to either remove or mitigate a vulnerabilityNote 1 to entry: A remediation typically takes the form of a conf
44、iguration change, binary file replacement, hardware change, source code patch, etc. Remediations are usually provided by vendors. Vendors use different terms including patch, fix, hotfix, and upgrade.Note 2 to entry: Actions that reduce the impact of a possible attack or mask the vulnerability (whic
45、h are, in most cases, a temporary action) are often called countermeasures or workarounds.3.7servicemeans of delivering value to users by facilitating results users want to achieve without the ownership of specific physical or logical resources and the risks related to ownership3.8vendorindividual o
46、r organization that developed the product or service or is responsible for maintaining it3.9vulnerabilityweakness of software, hardware, or online service that can be exploitedSOURCE: ISO/IEC 27000:2009, 2.46 modified.Note 1 to entry: Weaknesses in a system can be caused by software and hardware des
47、ign flaws, poor administrative processes, lack of awareness and education, and advancements in the state of the art or improvements to current practices.4 Abbreviated termsCCE Common Configuration EnumerationCPE Common Platform EnumerationCSIRT Computer Security Incident Response TeamCVE Common Vuln
48、erabilities and ExposuresCVSS Common Vulnerability Scoring System2 ISO/IEC 2014 All rights reservedCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO/IEC 29147:2014ISO/IEC 29147:2014(E)ID identifierIT information technologyPC personal computerPDF portable document formatPGP Pretty Good PrivacyPoC proof of conceptPSIRT product security incident response teamSRM secure receiving modelSW softwareURL uniform re
