ISO/IEC TR 5895:2022 网络安全 多方协调的漏洞披露和处理

标准编号：ISO/IEC TR 5895:2022

中文名称：网络安全 多方协调的漏洞披露和处理

英文名称：Cybersecurity — Multi-party coordinated vulnerability disclosure and handling

发布日期：2022-06

标准范围

ISO/IEC TR 5895:2022本文件阐明并增加了ISO/IEC 30111和ISO/IEC 29147在多方协调漏洞披露(MPCVD)环境中的应用和实施，包括该领域不断发展的普遍采用的实践，阐明:-MPCVD生命周期和协调漏洞披露（CVD）阶段（准备、接收、验证、补救[1]开发、发布、发布后）在MPCVD环境中的应用。-MPCVD涉及的利益相关者包括用户、供应商（协调、缓解和依赖供应商）、报告者和非供应商协调员（ISO/IEC 29147和ISO/IEC 30111中定义的实体）。-在MPCVD设置中的漏洞处理和披露过程期间利益相关者之间的信息交换。阐明ISO/IEC 30111和ISO/IEC 29147在MPCVD设置中的应用说明了漏洞披露过程的好处。[1]补救是ISO/IEC 30111和ISO/IEC 29147中使用的定义术语。本文件在该定义的上下文中使用术语“补救”和动词“补救”。

ISO/IEC TR 5895:2022 This document clarifies and increases the application and implementation of ISO/IEC 30111 and ISO/IEC 29147 in multi-party coordinated vulnerability disclosure (MPCVD) settings, including the evolving commonly adopted practices in this area, by articulating:
- The MPCVD life cycle and application of coordinated vulnerability disclosure (CVD) stages (preparation, receipt, verification, remediation[1] development, release, post-release) in MPCVD settings.
- Stakeholders involved in MPCVD include users, vendors (coordinating, mitigating, and dependent vendors), reporters, and non-vendor coordinators (entities defined in ISO/IEC 29147 and ISO/IEC 30111).
- The exchange of information between stakeholders during the vulnerability handling and disclosure process in a MPCVD settings.
Clarifying the application of ISO/IEC 30111 and ISO/IEC 29147 in MPCVD settings illustrates the benefits of vulnerability disclosure processes.
[1] Remediation is a defined term used in ISO/IEC 30111 and ISO/IEC 29147. This document uses the term "remediation" and verb “remediate” in the context of this definition.

标准预览图