ДСТУ ISO/IEC 29147:2016 Информационные технологии. Методы защиты. Раскрытие уязвимостей (ISO/IEC 29147:2014, IDT)

Contents

Foreword

Introduction

1 Scope

2 Normative references

3 Terms and definitions

4 Abbreviated terms

5 Concepts

5.1 General

5.2 Interface between ISO/IEC 29147: Vulnerability disclosure and ISO/IEC 30111: Vulnerability handling processes

5.3 Products and online services

5.4 Stakeholders

5.5 Vulnerability disclosure process summary

5.6 Information exchange during vulnerability disclosure

5.7 Confidentiality of exchanged information

5.8 Vulnerability advisories

5.9 Vulnerability exploitation

6 Vulnerability disclosure policy considerations

6.1 General

6.2 Minimum policy aspects

6.3 Optional policy aspects

7 Receipt of vulnerability information

7.1 General

7.2 Potential vulnerability report and its secure receiving model

7.3 Acknowledgement of receipt from finder or a coordinator

7.4 Tracking incoming reports

7.5 On-going communication with finder

7.6 Detailed information

7.7 Support from coordinators

8 Possible vulnerability reporting among vendors

8.1 General

8.2 Typical cases calling for vulnerability reporting among vendors

8.3 Reporting of vulnerability information to other vendors

9 Dissemination of advisory

9.1 General

9.2 Purpose of advisory

9.3 Consideration in advisory disclosure

9.4 Timing of advisory release

9.5 Contents of advisory

9.6 Advisory communication

9.7 Advisory formats

9.8 Advisory authenticity

Annex A (informative) Details for handling vulnerability/advisory information

Annex B (informative) Sample policies, advisories, and global coordinators

Bibliography