New ISO Standards on Vulnerability Handling and Disclosure

Published: 2014-02-07
Last Updated: 2014-02-07 13:26:41 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Also in the news, ISO standard 30111 was published recently (on Jan 21) - a standard for the Vulnerability Handling Processes.  The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft

The standard covers all the basics, including Vulnerability Verification steps, the Vulnerability Handling Process, and of particular interest is that it delineates where vendors should and should not be in the process.

The companion document, ISO 29147 (published in 2013) covers Vulnerability Disclosure.  This one is extremely valuable both to security researchers and for any company with a software product.  This standard includes guidance on buidling a framework to address vulnerabilities, including a 5 step process that guides vendors through initial receipt and verification of the vulnerability, developing a resolution, releasing the final fix and communication with customers after the fix is released

As with all ISO standards, unfortunately these are not free - both are well worth it if the standards apply to your organization.  If your organization writes code, or if you sell hardware that runs code, both of these standards are a must-have.
ISO 30111 can be purchased here:
ISO 29147 can be purchased here:

Rob VandenBrink

1 comment(s)


"As with all ISO standards, unfortunately these are not free "

It's not just that ISO standards aren't free... it is that the price of ordering a copy of ISO standards such as 27001 just to study are really very expensive...

For the price of just one of the sections of the standards; you can buy a few thick
books on Security Incident Response.

Diary Archives