| News | Press release | Closing security gaps

Closing security gaps

The most recent bidt policy brief focuses on the responsible management of IT security vulnerabilities. The authors assess the current state of vulnerability management and offer potential solutions to address conflicting interests and legal positions. They suggest the creation of a neutral reporting and coordination center in addition to removing legal barriers.

Practically exploitable security gaps in hardware and software threaten the IT security of private and state infrastructures. Eliminating these gaps is desirable for all actors – product manufacturers, operators and users.

The authors of this policy brief, Oliver Vettermann, Manuela Wagner, Maximilian Leicht and Felix Freiling, shed light on the current situation in dealing with IT security vulnerabilities. They point out conflicts that exist in practice between manufacturers and independent, proactive IT security researchers or ethical hackers. Coordination and reporting procedures such as the Coordinated Vulnerability Disclosure (CVD) process are currently neither legally binding nor implemented comprehensively. Due to these legal uncertainties for researchers, deterrent effects can be observed.

Legal impulses for a legal framework

In order to eliminate security gaps and make existing systems more resilient in the long term for all those affected, the authors point out legal impulses for a legal framework. This includes, among other things, the legal formulation of the constitutional protection mandate to guarantee IT security, which requires a balance of the multipolar fundamental rights and interests between researchers, product users and manufacturers or companies. Similarly, obstacles in criminal law should be removed, and IT security research should be anchored in the IT security landscape when amending IT security and data protection law.

Establishment of a reporting and coordination authority

As a second solution, the authors propose the establishment of a reporting and coordination authority, which should be involved in the legally implemented processes. Such a body could ensure a coordinated balancing of interests and mediation between all parties involved and thus establish a basis of trust in reporting a security vulnerability to its publication and rectification. In this way, process-oriented but transparent communication occurs between everyone, which is necessary to close IT security gaps effectively and sustainably.

Contact

Press contact

Dr. Margret Hornsteiner

Head of Communications and Dialogue, bidt

Enquiries about the study

Prof. Dr.-Ing. Felix Freiling

Member of bidt's Board of Directors | Chair of Computer Science 1 (IT Security Infrastructures), Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)