Good Practice Guide on Vulnerability Disclosure

From Challenges to Recommendations

Published in: Good Practice Guide on Vulnerability Disclosure: From Challenges to Recommendations, Nov. 2015, p. 1-92

Posted on on April 27, 2016

by Nicole van der Meulen, Salil Gunashekar, Stefan Soesanto, Eun A Jo

Read More

Access further information on this document at

This article was published outside of RAND. The full text of the article can be found at the link above.

Vulnerabilities are 'flaws' or 'mistakes' in computer-based systems that may be exploited to compromise the network and information security of affected systems. They provide a point-of-entry or gateway to exploit a system and as such pose potentially severe security risks. Fixing vulnerabilities is therefore crucial and the process of disclosing vulnerabilities is a vital component that cannot be underestimated. The vulnerability disclosure landscape is complex, with several stakeholders involved that include vendors, IT security providers, independent researchers, the media, malicious users, governments and, ultimately, the general public. These stakeholders often have competing interests, which results in a challenging landscape. In the specific context of the vulnerability disclosure process, this study seeks to achieve the following primary objectives: --take stock of the current situation in vulnerability disclosure; --identify the challenges of the current situation with respect to vulnerability disclosure; --identify good practices; --propose recommendations for improvements to address the challenges and enhance the adoption of good practices.

Research conducted by

This report is part of the RAND Corporation External publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.

Our mission to help improve policy and decisionmaking through research and analysis is enabled through our core values of quality and objectivity and our unwavering commitment to the highest level of integrity and ethical behavior. To help ensure our research and analysis are rigorous, objective, and nonpartisan, we subject our research publications to a robust and exacting quality-assurance process; avoid both the appearance and reality of financial and other conflicts of interest through staff training, project screening, and a policy of mandatory disclosure; and pursue transparency in our research engagements through our commitment to the open publication of our research findings and recommendations, disclosure of the source of funding of published research, and policies to ensure intellectual independence. For more information, visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.