hacking has morphed from a pastime of small time thieves and teenage geeks
into a serious financial and national security threat, the issue of when
and how to publicize network security vulnerabilities has become an acute
It can be a challenge finding a balance between disclosing the required
information at the appropriate time and allowing software vendors time to
correct the situation before the knowledge falls into the wrong hands.
The practice of spreading FUD (fear, uncertainty and doubt) can be
tempting. Researchers and security experts alike gain publicity for
finding a vulnerability and notifying the community. But there is a
clear danger to this practice. One can be viewed as over-hyping a
threat or needlessly scaring the public. Indeed, with so many
vulnerability announcements in the last few years, there is a real risk of
becoming "the boy who cried wolf" as the public disregards the
The most effective approach from both a public safety and public relations
perspective involves close collaboration between stakeholder
organizations, software vendors, and the government.
Once a software security vulnerability is identified, the starting point
is to discreetly notify the software vendor. The two sides should work
together on a patch and coordinate the release of the information when the
remedy is available. According to CERT Coordination Center (CERT/CC),
vulnerabilities need to be disclosed within 45 days, giving vendors ample
time to create a solution to the problem.
Organizations, such as CERT/CC, should also be notified in the process of
responsibly disclosing a vulnerability. The organization can help analyze
the vulnerability and coordinate communications among the proper experts
and the government. Lastly, the editorial board of Common Vulnerabilities
and Exposures (CVE), the standard listing for information security
vulnerability names, must be contacted and made aware of the vulnerability
so that it can be universally named and tracked through an official
addition to the CVE list.
At the end of the day, researchers and security experts must recognize
their true motive for disclosing a network vulnerability. If the community
is put in greater jeopardy or risk by publicizing the threat, than the
disclosure is irresponsible. But by ensuring that vendors, experts and
government are all stakeholders in the communications process, the greater
community good is served.
Seawright is a Director at
Strategic Communications Group, an award-winning public
and business development firm based in Silver Spring, MD.
She can be reached at firstname.lastname@example.org
Articles | Submit
Your Article | PR
Public Relations Homepage