A model for how to disclose physical security vulnerabilities.
- Nuclear Engineering Division
When security vulnerabilities are discovered, it is often unclear how much public disclosure of the vulnerabilities is prudent. This is especially true for physical security vis a vis cyber security. We never want to help the 'bad guys' more than the 'good guys', but if the good guys aren't made aware of the problems, they are unlikely to fix them. This paper presents a unique semi-quantitative tool, called the 'Vulnerability Disclosure Index' (VDI), to help determine how much disclosure of vulnerabilities is warranted and in what forum. The VDI certainly does not represent the final, definitive answer to this complex issue. It does, however, provide a starting point for thinking about some of the factors that must go into making such a decision. Moreover, anyone using the VDI tool can at least claim to have shown some degree of responsibility in contemplating disclosure issues. The purpose of this paper is to provide a tool to help decide if and how security vulnerabilities should be disclosed. This tool, called the Vulnerability Disclosure Index (VDI), is not presented here as the ultimate, authoritative method for dealing with this complex issue. It is offered instead as a first step, and as a vehicle for thinking about and discussing some of the factors that need to be pondered when vulnerability disclosures are being considered.
- Research Organization:
- Argonne National Lab. (ANL), Argonne, IL (United States)
- Sponsoring Organization:
- USDOE Office of Science (SC)
- DOE Contract Number:
- DE-AC02-06CH11357
- OSTI ID:
- 1018493
- Report Number(s):
- ANL/NE/JA-64584; TRN: US201114%%24
- Journal Information:
- J. Phys. Sec., Vol. 3, Issue 1 ; 2009
- Country of Publication:
- United States
- Language:
- ENGLISH
Similar Records
Museum security and the Thomas Crown Affair.
Comments on Reservoir Technology, DOE PR VII, San Francisco, March 23, 1989