A researcher discovers a remote code execution vulnerability in an IoT chipset used by 45 device vendors. Some vendors respond quickly, others do not respond, and several affected products support critical infrastructure services. The researcher must decide how to handle disclosure. Which actions follow best-practice coordinated vulnerability disclosure in this scenario? Select 2 correct answers.

Question

A researcher discovers a remote code execution vulnerability in an IoT chipset used by 45 device vendors. Some vendors respond quickly, others do not respond, and several affected products support critical infrastructure services. The researcher must decide how to handle disclosure. Which actions follow best-practice coordinated vulnerability disclosure in this scenario? Select  2  correct answers.

Answer

Abandon the report if one vendor denies responsibility

Answer

Share reproduction steps only after all vendors sign NDAs

Answer

Contact a national CERT/CSIRT to coordinate communication across all vendors

Answer

Publish a private advisory without coordinating release plans

Answer

Delay disclosure until every vendor develops a patch

Answer

Inform end-users before notifying vendors

Answer

Force all vendors to follow a single patch release date

Answer

Define a disclosure timeline that considers critical infrastructure risk

Answer

Release partial technical details during the confidentiality period

Answer

Publicly release the exploit code to pressure vendors.

Crowdly

A researcher discovers a remote code execution vulnerability in an IoT chipset u...

Want instant access to all verified answers on moodle.bcu.ac.uk?