During a routine penetration test, your security team discovers a previously unknown zero-day vulnerability in a widely used enterprise software platform deployed throughout your organization. The flaw permits unauthenticated remote code execution on affected servers. Although the team has created a temporary mitigation, it has not yet been rolled out to every system. Which disclosure strategy BEST adheres to responsible and ethical practices?
Apply a mitigation to your systems and keep the vulnerability information within your organization
Publish technical details of the vulnerability on security blogs and social media to warn users of the software
Notify the vendor privately with technical details and allow them time to develop a patch before public disclosure
Report the vulnerability to regulatory authorities and then contact the vendor
The correct answer is to notify the vendor privately with technical details and allow them time to develop a patch before public disclosure. This follows responsible disclosure principles that balance the need to protect users while giving vendors an opportunity to address the vulnerability. The ethical disclosure process typically includes privately notifying the vendor with technical details, giving them time to develop and test a fix (often 30-90 days depending on severity), and coordinating public disclosure after a patch is available. This approach minimizes risk to all users of the affected software while ensuring the vulnerability gets addressed.
The other options are problematic: Publishing technical details immediately before a patch exists puts all users at risk. Keeping the vulnerability secret and only applying your mitigation leaves other organizations vulnerable. Reporting to regulatory authorities and then contacting the vendor may delay remediation and does not follow standard coordinated disclosure workflows.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a zero-day vulnerability?
Open an interactive chat with Bash
What are responsible disclosure principles?
Open an interactive chat with Bash
Why is immediate public disclosure problematic for vulnerabilities?
Open an interactive chat with Bash
ISC2 CISSP
Security Assessment and Testing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .