摘要
网络安全漏洞已成为各国重要的网络武器,为加强国家对安全漏洞的管控,各国政府相继出台了安全漏洞公平裁决程序(vulnerability equities process,VEP),该程序在政府层面评估安全漏洞,以保护国家利益为目的,决定披露或保留安全漏洞.目前安全漏洞公平裁决程序面临普及率不高、透明度和规范化程度低的问题.为应对这一情况,总结安全漏洞公平裁决程序的发展历程,针对目前世界范围的VEP程序制定情况进行了分析和对比,主要列举了目前较为成熟的安全漏洞公平裁决程序,并给出了各国VEP政策的对比分析表.同时对如何建立规范化安全漏洞公平裁决程序进行探讨,指出了目前安全漏洞公平裁决程序面临的挑战并提出解决方案.最终为我国建立安全漏洞公平裁决程序提供一些参考建议.
Cybersecurity vulnerabilities have become an important cyber weapon of various countries.To strengthen national control over security vulnerabilities,governments of various countries have released the vulnerability equities process(VEP).This procedure evaluates vulnerabilities at the government level,and then decides to disclose or retain them for the purpose of protecting national interests.At present,the vulnerability equities process faces the problems of low penetration rate,low transparency,and a low degree of standardization.To deal with this situation,the development of the vulnerability equities process is studied,and the current situation of the formulation of VEP procedures worldwide is analyzed and compared.It analyzes and compares the current situation of the worldwide VEP program formulation,mainly enumerating the current mature VEP.At the same time,this paper discusses how to establish a standardized procedure for the vulnerability equities process,points out the challenges faced by the vulnerability equities process,and proposes relevant solutions.Finally,it provides some suggestions for our country to establish a vulnerability equities process.
作者
时翌飞
冯景瑜
曹旭栋
黄鹤翔
王鹤
Shi Yifei;Feng Jingyu;Cao Xudong;Huang Hexiang;Wang He(School of Cyberspace Security,Xi’an University of Posts and Telecommunications,Xi’an 710121;National Computer Network Intrusion Protection Center,University of Chinese Academy of Sciences,Beijing 101408;School of Cyber Engineering,Xidian University,Xi’an 710071)
出处
《信息安全研究》
2021年第6期496-502,共7页
Journal of Information Security Research
基金
国家重点研发项目(2018YFB0804701)
陕西省自然科学基础研究计划项目(2019JM-442)。
关键词
安全漏洞公平裁决程序
国际安全漏洞公平裁决程序
漏洞评估
安全漏洞
国家政策
vulnerability equities process
international vulnerability equities process
vulnerability assessment
vulnerability
national policy
