312-50V11 · Question #403
A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician resea
The correct answer is D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.. Responsible disclosure requires notifying the software vendor of a discovered vulnerability and withholding public disclosure until a patch is available, protecting users from exploitation.
Question
A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?
Options
- AIgnore the problem completely and let someone else deal with it.
- BCreate a document that will crash the computer when opened and send it to friends.
- CFind an underground bulletin board and attempt to sell the bug to the highest bidder.
- DNotify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.
How the community answered
(39 responses)- A3% (1)
- B3% (1)
- C8% (3)
- D87% (34)
Why each option
Responsible disclosure requires notifying the software vendor of a discovered vulnerability and withholding public disclosure until a patch is available, protecting users from exploitation.
Ignoring the bug leaves other users vulnerable and fails the ethical obligation of a security-aware professional to improve security.
Creating and distributing a weaponized document is malicious, constitutes unauthorized damage under laws like the CFAA, and harms others.
Selling vulnerability information on underground markets is illegal and unethical, enabling criminal exploitation of unsuspecting users.
Responsible disclosure - also known as coordinated vulnerability disclosure - is the ethical and industry-standard practice where the researcher notifies the vendor privately, giving them reasonable time to develop and release a fix before public disclosure. This approach protects end users from malicious exploitation of the vulnerability while still ensuring the vendor addresses the issue. It balances transparency with harm prevention.
Concept tested: Responsible vulnerability disclosure practices
Source: https://learn.microsoft.com/en-us/legal/msrc/report-an-issue
Topics
Community Discussion
No community discussion yet for this question.