Front Page: NCSC-FI
Front Page: NCSC-FI

Vulnerabilities – How to report them correctly?

Information security now!

In the second part of our article series on vulnerabilities we answer frequently asked questions. Have you ever wondered where you can report vulnerabilities you discover? Would you like to report a vulnerability but cannot find instructions on how to do it? You have heard that you could receive a reward for reporting a vulnerability, but how does the process work? We will explain what to do.

What are vulnerabilities?

A vulnerability means any weakness that can potentially cause damage or that can be exploited to cause damage. Vulnerabilities can be present in information systems, applications, devices, processes and household automation, in addition to which they can also arise as a result of people’s actions.

Information on vulnerabilities is published by device manufacturers, private individuals and application developers. In an ideal situation, vulnerabilities are made public when mitigations and patches are already available.

All technology has vulnerabilities, and there are many reasons for this. A vulnerability can be caused, for example, by the use of old technology that has not kept up to date or by combinations of less critical weaknesses.

How should vulnerabilities be reported?

There are various processes and practices in place for reporting vulnerabilities to different parties. As a general rule, vulnerabilities should not be needlessly exploited just to verify that they exist. Downloading, accessing or sharing data may constitute an offence.

It is important to ensure that updates are installed and that the related processes work. At worst, business operations may be paralysed or completely disrupted if a vulnerability is exploited.

There are different kinds of vulnerabilities with varying levels of severity. For example, vulnerabilities can be categorised as severe or critical based their exploit methods and other aspects. In another article, we take a closer look at vulnerabilities, their classification and why some vulnerabilities are more critical than others.

The correct reporting process depends on the operator or organisation with whom you are filing a report. Let’s looks at a few alternative processes.

What kinds of reporting processes are there?

Fixing vulnerabilities

Once you have reported a vulnerability, you may have to wait for the problem to be fixed or to be contacted by the organisation even if they have welcomed your report. Fixing vulnerabilities may take time, and organisations may have their own implementation schedules for fixes. Be patient and let the organisation investigate and verify the vulnerability, examine is effects and possibly contact its customers.

Ideally, reporting a vulnerability is a positive experience and leads to interaction that benefits all parties. Positive experiences make it easier to deal with new reports and give a good impression about cooperation.

Major organisations, tech companies and international businesses usually have processes and practices in place for dealing with vulnerabilities. Small and medium-sized enterprises, on the other hand, may not have as complete processes for processing and preventing vulnerabilities. Understanding vulnerabilities may be difficult even for information security specialists, so it may be worthwhile to seek, ask for or buy help when necessary.

How to be protected against vulnerabilities?

Organisations should always assess information security in the context of their operating environment. To support these assessments, we have published various guides and instructions for organisations. Take a look at the examples given below.