LLMpediaThe first transparent, open encyclopedia generated by LLMs

ISO/IEC 29147

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: HackerOne Hop 4
Expansion Funnel Raw 95 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted95
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
ISO/IEC 29147
TitleISO/IEC 29147
StatusPublished
Year2014
OrganizationInternational Organization for Standardization; International Electrotechnical Commission
DomainInformation technology; Cybersecurity

ISO/IEC 29147

ISO/IEC 29147 is an international standard that provides guidance for vulnerability disclosure, coordinating how organizations, researchers, and vendors communicate about security flaws. The standard interfaces with incident response processes in institutions such as NIST and with procurement practices in bodies like European Commission agencies and national cybersecurity centers including CISA, ENISA, and CERT-EU.

Overview

ISO/IEC 29147 defines practices for reporting and disclosing vulnerabilities to vendors and stakeholders, aligning with established procedures used by entities such as Microsoft, Google, Apple Inc., Amazon (company), and Facebook. It complements operational guides from SANS Institute, FIRST and national standards from NIST Special Publication 800-53, NIST Special Publication 800-61 and enterprise frameworks like COBIT, ITIL, and ISO/IEC 27001. The document addresses roles common to responses coordinated by organizations such as MITRE, Red Hat, Debian, Canonical (company), and open-source projects including Linux Kernel and Apache Software Foundation.

Scope and Purpose

The scope of the standard covers identification, reporting, communication, coordination, and public disclosure for vulnerabilities affecting products and services from vendors such as Cisco Systems, Oracle Corporation, IBM, Samsung Electronics, and HP Inc.. Its purpose is to reduce risk to users by providing consistent disclosure timelines and expectations alongside guidance used by regulatory agencies including Federal Trade Commission and European Data Protection Board. Stakeholders addressed include incident handlers at organizations like Symantec, Trend Micro, Kaspersky Lab, and vulnerability researchers affiliated with universities such as Massachusetts Institute of Technology, Stanford University, University of Cambridge, and University of Oxford.

Vulnerability Disclosure Process

The standard outlines a process that mirrors practices applied by coordinated vulnerability disclosure programs run by Google Project Zero, Microsoft Security Response Center, and vendor programs at Oracle Critical Patch Update and Apple Security Bug Bounty. Key stages in the process reference triage workflows used by CERT/CC and US-CERT, communication methods used by security teams at Twitter, Inc., GitHub, and GitLab, and mitigation planning approaches reflected in advisories by Red Hat Security and Ubuntu Security Team. The process emphasizes evidence handling similar to procedures in criminal incident investigations involving institutions like FBI and Interpol when legal considerations arise, and recommends engagement with disclosure intermediaries such as Bugcrowd, HackerOne, and academic labs at ETH Zurich and Carnegie Mellon University.

Relationship to Other Standards and Frameworks

ISO/IEC 29147 interacts with management and security standards including ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27035, and supply-chain guidance from NIST Cybersecurity Framework and NIST SP 800-161. It is often referenced alongside privacy and data protection frameworks influenced by General Data Protection Regulation deliberations in the European Parliament and policy guidance from World Economic Forum working groups. Sector-specific coordination appears in standards used by telecom regulators like ITU-T and industry consortia such as OWASP, PCI Security Standards Council, GSMA, and IEC TC 65.

Adoption and Implementation

Adoption of the standard has been observed among national governments, large technology firms, and open-source communities; examples include disclosure practices adopted by Government of the United Kingdom, Government of Australia, Government of Canada, and agencies like Department of Homeland Security. Implementation guidance is produced by organizations including FIRST, ENISA, NCSC (United Kingdom), and vendor security teams at VMware, Adobe Inc., Intel Corporation, Qualcomm, and Siemens. Training and certification programs align with curricula from institutions such as SANS Institute, (ISC)², ISACA, and university continuing education at University of Washington and UC Berkeley Extension.

History and Revisions

Work on coordinated disclosure standards evolved from community practices codified by groups like CERT Coordination Center and industry advisories from Microsoft Security Response Center and Cisco PSIRT. The standard was developed through ISO/IEC technical committees involving national bodies such as British Standards Institution, American National Standards Institute, Deutsches Institut für Normung, Standards Australia, and Japanese Industrial Standards Committee. Subsequent revisions and related guidance have been influenced by high-profile incidents linked to vulnerabilities in products from Equifax, SolarWinds, Log4j (software), and disclosure debates involving researchers at institutions like Google Project Zero and Talos (Cisco), prompting updates in coordination practices and cross-references in later editions.

Category:Information security standards