Skip to content

Vulnerability Response (VR)

Vulnerabilty Response (VR)

Vulnerability Response is the overall set of processes and practices that deal with the existence of vulnerabilities in systems. VR encompasses everything from reducing the introduction of vulnerabilities as part of a Secure Development Lifecycle (SDL) through the remediation of deployed vulnerabilities via patch deployment.

Resources

Below are a few resources for further reading on these topics:

Vulnerability response in the design and development phases often takes the form of practices such as Threat Modeling, Secure Coding, and Software Engineering Risk Analysis.

However, such practices seem unlikely to ever completely eliminate vulnerabilities from being introduced into released software and deployed systems. For those vulnerabilities that do escape detection by these early lifecycle practices, it remains necessary to plan for their eventual discovery and disclosure.

The goals of vulnerability response include the following:

  • Limit attacker advantage over defenders.
  • Reduce the population of vulnerable product instances as quickly as possible.
  • Reduce the impact of attacks against vulnerable systems.

Incident Response vs. Vulnerability Response

Sometimes the term Incident Response is used synonymously with Vulnerability Response. These two concepts are related, but different; Vulnerability Response specifically indicates responding to reports of product vulnerabilities, usually via the CVD process, whereas Incident Response is more general and can also include other security events such as network intrusions. We will generally stick to the Vulnerability Response terminology since this work is specifically about CVD.