INTERNATIONAL ISO/IEC STANDARD 29147 Secondedition 2018-10 Information technology Security techniques Vulnerability disclosure Technologies de I'information - Techniques de sécurité - Divulgation de vulnérabilite Reference number ISO/IEC 29147:2018(E) EC os1 @IS0/IEC 2018 IS0/IEC 29147:2018(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC 2018 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below or Iso's member body in the country of the requester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +4122 749 0111 Fax: +41 22 749 09 47 Email: [email protected] Website: www.iso.org Published in Switzerland ii @ IS0/IEC 2018 - All rights reserved IS0/IEC 29147:2018(E) Contents Page Foreword ..vi Introduction. ..vii 1 Scope. 2 Normative references 3 Terms and definitions 4 Abbreviated terms 5 Concepts .3 5.1 General .3 5.2 Structure of this document .3 5.3 Relationships to other International Standards .4 5.3.1 IS0/IEC 30111 ..4 5.3.2 IS0/IEC 27002 ..5 5.3.3 IS0/IEC 27034 series. .6 5.3.4 ISO/IEC 27036-3 6 5.3.5 IS0/IEC27017 ..6 5.3.6 IS0/IEC 27035 series. .6 5.3.7 Security evaluation, testing and specification .6 5.4 Systems, components, and services .6 5.4.1 Systems. .6 5.4.2 Components 5.4.3 Products ..6 5.4.4 Services 5.4.5 Vulnerability 7 5.4.6 Product interdependency 5.5 Stakeholder roles ..8 5.5.1 General ..8 5.5.2 User. ..8 5.5.3 Vendor. .8 5.5.4 Reporter .8 5.5.5 Coordinator .9 5.6 Vulnerability handling process summary 5.6.1 General. .9 5.6.2 Preparation 10 5.6.3 Receipt .10 5.6.4 Verification .11 5.6.5 Remediation development ..11 5.6.6 Release .11 5.6.7 Post-release .12 5.6.8 Embargo period. .12 5.7 Information exchange during vulnerability disclosure. .12 5.8 Confidentiality of exchanged information. .13 5.8.1 General 5.8.2 Secure communications. .13 5.9 Vulnerability advisories ..13 5.10 Vulnerability exploitation ..14 5.11 Vulnerabilities and risk. ..14 6 Receiving vulnerability reports .14 6.1 General. ..14 6.2 Vulnerability reports ..14 6.2.1 General. ..14 6.2.2 Capability to receive reports ..14 6.2.3 Monitoring. .. 15 @ IS0/IEC 2018 - All rights reserved ii