312-50V9 · Question #180
A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician resea
The correct answer is D. Notify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.. Responsible disclosure requires privately notifying the software vendor of a discovered vulnerability and allowing time for a patch before any public disclosure.
Question
A computer technician is using a new version of a word processing software package when it is discovered that a special sequence of characters causes the entire computer to crash. The technician researches the bug and discovers that no one else experienced the problem. What is the appropriate next step?
Options
- AIgnore the problem completely and let someone else deal with it.
- BCreate a document that will crash the computer when opened and send it to friends.
- CFind an underground bulletin board and attempt to sell the bug to the highest bidder.
- DNotify the vendor of the bug and do not disclose it until the vendor gets a chance to issue a fix.
How the community answered
(28 responses)- A11% (3)
- B4% (1)
- C4% (1)
- D82% (23)
Why each option
Responsible disclosure requires privately notifying the software vendor of a discovered vulnerability and allowing time for a patch before any public disclosure.
Ignoring a known vulnerability leaves all users of the software exposed to potential harm with no path to remediation.
Deliberately creating and distributing a weaponized document to crash others' computers is malicious and constitutes unauthorized damage under computer crime statutes.
Selling vulnerability information on underground markets is illegal, enables criminal exploitation, and violates all ethical standards for security professionals.
Responsible disclosure is the industry-standard ethical practice for handling newly discovered vulnerabilities. By notifying the vendor first and withholding public disclosure until a fix is available, the technician protects end users from exploitation while giving the vendor a fair opportunity to remediate the issue.
Concept tested: Responsible vulnerability disclosure practices
Source: https://www.cisa.gov/coordinated-vulnerability-disclosure-process
Topics
Community Discussion
No community discussion yet for this question.