1.
“The Current and Future of Coordinated
Vulnerability Disclosure”
International Panel Discussion
(JPN) Hiroyuki Itabashi (Information Promotion Agency)
(EU) Lorenzo Pupillo, PhD (Associate Senior Research Fellow -
GRID Unit, Head of the Cybersecurity@CEPS Initiative)
(US) Allan Friedman, PhD (Senior Advisor and Strategist,
Cybersecurity & Infrastructure Security Agency)
Moderator, Ikuo Takahashi (Komazawa Legal Chambers)

2.
Vulnerabilities
• By Definition
• Per Japan Early Warning Partnership
• “A security weakness where the functionality or performance can be impacted by
an attack such as computer viruses or unauthorized computer access”
• Per ISO/IEC 27000:2009, 2.46, modified
• “weakness of software, hardware, or online service that can be exploited”
• Importance at present
• Opportunity for Cyber Threats, e.g. ”Fuel for attacks”
• Opportunity for whom
• Cyber criminals/State-sponsored attack
• Governments, Attacker/Defender

3.
Coordinated Vulnerability Disclosure
Full disclosure
• Malicious attackers already know
about a vulnerability, so it is best if
everyone knows their techniques.
• Vendors cannot hide bugs about
vulnerabilities once they are publicly
disclosed.
• Disclosure of vulnerability information
is necessary to create a better system
in the future.
• We should regard the concept that the
vulnerability information is the
property of the discoverer as positive
one.
Responsible disclosure
• Most vulnerabilities are
investigated with the motivation of
the disclosure itself.
• E.g. as a demonstration of one's
competence instead of for the
purpose of eliminating the
vulnerability
• There can be other ways to
effectively disclose vulnerabilities.
• Creating an improved system does
not require providing detailed
vulnerability information or testing.

4.
Coordinated Vulnerability Disclosure
Per Region
JAPAN EU US
Present • Early Warning
Partnership (2004~)
• PSIRT awareness-raising
activities
• Active mediation
function of state
agencies
• Coordinated Vulnerability
Disclosure Policies.
• Mixed responses from
country to country
• Examples: advanced
Belgium, Netherlands,
France
• Legal cases (~2010) toward
protection of researchers
• Government activities
• FTC (Federal Trade Commission)
and regulators in IoT
• Cooperation between researchers
and vendors
• Leverage by law enforcement
agencies
International
trends
• Closer relationships between National Security and Cybersecurity
• Bug bounty programs
• Formalized Standards
• ISO/IEC 29147:2018120 Information technology -- Security techniques -- Vulnerability disclosure
• ISO/IEC 30111:2013 Information technology -- Security techniques -- Vulnerability handling
processes
• RFC9116 File Format for Security Vulnerability Disclosure Support