Windows 10 News and info | Forum
August 20, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: UK's NCSC Explains How They Handle Discovered Vulnerabilities  (Read 130 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 30354

I Do Windows

WWW Email
« on: December 01, 2018, 04:30:29 PM »

When the United Kingdom's National Cyber Security Center (NCSC) performs operational tasks, they may find vulnerabilities in software, hardware, websites, or critical infrastructure.

When they find these vulnerabilities, they go through a review process called the "Equities Process" that determines if they are going to disclose the vulnerability so that it is fixed or if they will keep it to themselves for use during intelligence gathering.

The NCSC explained this week that when they find a vulnerability, their starting position is to responsibly disclose it.  They then review the vulnerabilities through a series of groups to weigh whether the vulnerability has more value being kept private so that they can be used to protect the United Kingdom and its allies or if it is more important to disclose the vulnerability so that it is fixed.

"The Equities Process provides a mechanism through which decisions about disclosure are taken. Expert analysis, based on objective criteria, is undertaken to decide whether such vulnerabilities should be released to allow them to be mitigated or retained so that they can be used for intelligence purposes in the interests of the UK," explained the NCSC. "The starting position is always that disclosing a vulnerability will be in the national interest."

As part of the Equities Process, there are three group

As part of the Equities Process, there are three groups of people involved in this review process as described below.

    1. The Equities Technical Panel (ETP), made up of a panel of subject matter
        experts from across the UK Intelligence Community including the NCSC.

    2. The GCHQ Equity Board (EB), which includes representation from other
        Government agencies and Departments as required. The Chair of the Equity
        Board is a senior civil servant with appropriate experience and expertise,
        usually drawn from the NCSC, and answerable in this role to the Chief
        Executive Officer (CEO) of the NCSC.

    3. The Equities Oversight Committee, chaired by the CEO of the NCSC, which
        ensures the Equities Process is working appropriately and in accordance with
        specified procedures. This Committee also advises the CEO of the NCSC on
        equity decisions escalated from the Equity Board.

When a new vulnerability submission is received, the Equities Technical Panel apply various criteria to determine it should be retained or disclosed.  These criteria include determining if disclosing the vulnerability would have a negative impact on the UK's security, whether it could be used for intelligence operations, or whether there is too much risk to the UK and its allies by not releasing it.

If a vulnerability is determined to be retained, then it goes through a series of increasingly senior-level groups who review the vulnerability. Unless there is a consensus that the vulnerability should be retained, it is responsibly disclosed to the vendor or organization. This review process is illustrated in the flowchart below.

There are some exceptions that may cause a vulnerability to not be reviewed under the Equities Process. This includes whether the vulnerability was disclosed to the UK by an ally who performed a similar review process when the software is no longer supported and thus there is no way to patch it, or if the vulnerability was purposely designed that way by the developer.

If it is decided to retain the vulnerability, it will go through the same review process at least every 12 months or sooner as required.

This type of review process is not unique to the United Kingdom and other countries such as the U.S.A. have their own "Vulnerabilities Equities Policy and Process".


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page June 30, 2019, 05:43:43 AM