ISO/IEC 29147:2018 信息技术 安全技术 信息泄露

标准编号：ISO/IEC 29147:2018

中文名称：信息技术 安全技术 信息泄露

英文名称：Information technology — Security techniques — Vulnerability disclosure

发布日期：2018-10

标准范围

ISO/IEC 29147:2018本文件向供应商提供了关于产品和服务漏洞披露的要求和建议。漏洞披露使用户能够按照ISO/IEC 27002:2013,12.6.1[1]中的规定执行技术漏洞管理。漏洞披露有助于用户保护其系统和数据，优先考虑防御性投资，并更好地评估风险。漏洞披露的目标是降低与利用漏洞相关的风险。当多个供应商受到影响时，协调的漏洞披露尤其重要。本文件规定:-关于接收潜在漏洞报告的准则；-漏洞修复信息披露指南；-特定于漏洞披露的术语和定义；-漏洞披露概念概述；-漏洞披露的技术和政策考虑；-技术、政策（附件A）和通信（附件B）的实例。ISO/IEC 30111中描述了在接收和披露漏洞报告之间发生的其他相关活动。本文档适用于选择实施漏洞披露以降低供应商产品和服务用户风险的供应商。

ISO/IEC 29147:2018 This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides:
- guidelines on receiving reports about potential vulnerabilities;
- guidelines on disclosing vulnerability remediation information;
- terms and definitions that are specific to vulnerability disclosure;
- an overview of vulnerability disclosure concepts;
- techniques and policy considerations for vulnerability disclosure;
- examples of techniques, policies (Annex A), and communications (Annex B).
Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111.
This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.

标准预览图