Directorate for Science, Technology and Innovation
Encouraging vulnerability treatment
Overview for policy makers
Most digital security incidents are caused by malicious actors (e.g. cybercriminals
and state-sponsored groups) exploiting vulnerabilities in organisations’ digital ecosystems.
Addressing vulnerabilities before attackers take advantage of them is an effective
means of reducing the probability of cybersecurity incidents. This paper discusses
vulnerabilities in products’ code such as software and firmware, and in how products
are implemented in information systems. It shows that the technical community has
progressed in developing good practice for treating vulnerabilities, including through
co-ordinated vulnerability disclosure (CVD). However, significant economic and social
challenges prevent stakeholders from adopting good practice, such as legal frameworks
that do not sufficiently protect “ethical hackers” from legal proceedings. The paper
stresses that public policies aimed at removing obstacles and encouraging vulnerability
treatment could significantly reduce digital security risk for all. The findings from
this paper will inform the development of a new OECD Recommendation in this area.