Your security team discovers a zero-day vulnerability in a widely-used enterprise software platform that your organization uses. The vulnerability allows unauthenticated code execution. Your team has developed a mitigation but hasn't yet applied it across all systems. What is the most appropriate ethical disclosure approach?
Report the vulnerability to regulatory authorities and then contact the vendor
Publish technical details of the vulnerability on security blogs and social media to warn users of the software
Notify the vendor privately with technical details and allow them time to develop a patch before public disclosure
Apply a mitigation to your systems and keep the vulnerability information within your organization
The correct answer is to notify the vendor privately with technical details and allow them time to develop a patch before public disclosure. This follows responsible disclosure principles that balance the need to protect users while giving vendors an opportunity to address the vulnerability. The ethical disclosure process typically includes: privately notifying the vendor with technical details, giving them time to develop and test a fix (often 30-90 days depending on severity), and coordinating public disclosure after a patch is available. This approach minimizes risk to all users of the affected software while ensuring the vulnerability gets addressed.
The other options are problematic: Publishing technical details immediately before a patch exists puts all users at risk. Keeping the vulnerability secret and only applying your mitigation leaves other organizations vulnerable. Reporting to regulatory authorities and then contacting the vendor may violate responsible disclosure protocols and doesn't help resolve the vulnerability efficiently.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a zero-day vulnerability?
Open an interactive chat with Bash
What is responsible disclosure?
Open an interactive chat with Bash
Why is it important to notify the vendor privately before public disclosure?
Open an interactive chat with Bash
ISC2 CISSP
Security Assessment and Testing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access