In NCSC-FI's view, software vulnerabilities pose a serious threat to the normal functioning of the information society. It is self-evident that vulnerabilities need to be identified before they can be satisfactorily fixed or before the threat posed by them can otherwise be mitigated. Furthermore, it has been seen that using software testing methodologies and employing security research approaches can help identify previously unknown vulnerabilities. The findings, however, need to be handled in a responsible manner as the findings may have far-reaching adverse consequences to the people's privacy, possessions and business, and they may even affect national security.
In its role as a vulnerability coordinator, NCSC-FI promotes responsible handling of vulnerability information during all stages of the vulnerability lifecycle, not merely during the disclosure phase. Identifying the vulnerability is only the first stage of the process. Identifying the vulnerability is only the first stage of the process. After the identification, the weaknesses caused by the vulnerability need to be fixed, after which the fixes have to be delivered to the user community and applied in order to be of value.
Vulnerability coordinators aim to strike a balance between the interests of the vulnerability discoverers, software vendors and integrators, and the end-user community by ensuring that as many significant vulnerabilities as possible will eventually be fixed and that the fixes will be applied.
NCSC-FI uses the e-mail address vulncoord (at) ficora (dot) fi for vulnerability-related communication. Whenever possible, vulnerability details and vendor communication will be encrypted via PGP or S/MIME to protect the sensitive nature of the information.
|vulncoord (at) ficora (dot) fi|
|pgp key||NCSC-FI Vulnerability coordination [txt, 5 KB]|
|fingerprint||D1B2 0339 5529 9CF2 9C7E FDCE 0055 7E48 0C94 62BC|