When security vulnerabilities are discovered, it is often unclear how much public disclosure of the vulnerabilities is prudent. This is especially true for physical security vis a vis cyber security. We never want to help the 'bad guys' more than the 'good guys', but if the good guys aren't made aware of the problems, they are unlikely to fix them. This paper presents a unique semi-quantitative tool, called the 'Vulnerability Disclosure Index' (VDI), to help determine how much disclosure of vulnerabilities is warranted and in what forum. The VDI certainly does not represent the final, definitive answer to this complex issue. It does, however, provide a starting point for thinking about some of the factors that must go into making such a decision. Moreover, anyone using the VDI tool can at least claim to have shown some degree of responsibility in contemplating disclosure issues. The purpose of this paper is to provide a tool to help decide if and how security vulnerabilities should be disclosed. This tool, called the Vulnerability Disclosure Index (VDI), is not presented here as the ultimate, authoritative method for dealing with this complex issue. It is offered instead as a first step, and as a vehiclemore » for thinking about and discussing some of the factors that need to be pondered when vulnerability disclosures are being considered.« less
[1]
R. Johnston,et al.
Safeguarding this and verifying that: Fuzzy concepts, confusing terminology, and their detrimental effects on nuclear husbandry
,
2002
.
[2]
Roger G. Johnston,et al.
Tamper detection for safeguards and treaty monitoring: Fantasies, realities, and potentials
,
2001
.
[3]
Rahul Telang,et al.
Economics of software vulnerability disclosure
,
2005,
IEEE Security & Privacy.
[4]
Michael A. Caloyannides,et al.
Enhancing Security: Not for the Conformist
,
2004,
IEEE Secur. Priv..
[5]
A. Arora,et al.
Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis
,
2004
.
[6]
J. S. Warner,et al.
GPS Spoofing Countermeasures
,
2003
.