P14. Addressing security vulnerabilities

The company should address security vulnerabilities when they are discovered.

Elements:

1. Does the company clearly disclose that it has a mechanism through which security researchers can submit vulnerabilities they discover?
2. Does the company clearly disclose the timeframe in which it will review reports of vulnerabilities?
3. Does the company commit not to pursue legal action against researchers who report vulnerabilities within the terms of the company’s reporting mechanism?
4. (For mobile ecosystems and personal digital assistant ecosystems) Does the company clearly disclose that software updates, security patches, add-ons, or extensions are downloaded over an encrypted channel?
5. (For mobile ecosystems and telecommunications companies) Does the company clearly disclose what, if any, modifications it has made to a mobile operating system?
6. (For mobile ecosystems and telecommunications companies) Does the company clearly disclose what, if any, effect such modifications have on the company’s ability to send security updates to users?
7. (For mobile ecosystems and personal digital assistant ecosystems) Does the company clearly disclose the date through which it will continue to provide security updates for the device/OS?
8. (For mobile ecosystems and personal digital assistant ecosystems) Does the company commit to provide security updates for the operating system and other critical software for a minimum of five years after release?
9. (For mobile ecosystems, personal digital assistant ecosystems, and telecommunications companies) If the company uses an operating system adapted from an existing system, does the company commit to provide security patches within one month of a vulnerability being announced to the public?
10. (For personal digital assistant ecosystems): Does the company clearly disclose what, if any, modifications it has made to a personal digital assistant operating system?
11. (For personal digital assistant ecosystems): Does the company clearly disclose what, if any, effect such modifications have on the company’s ability to send security updates to users?

Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

Device/handheld device/mobile device — A physical object, such as a smartphone or feature phone, used to access telecommunication networks that is designed to be carried by the user and used in a variety of locations.

Encryption — This essentially hides the content of communications or files so only the intended recipient can view it. The process uses an algorithm to convert the message (plaintext) into a coded format (ciphertext) so that the message looks like a random series of characters to anyone who looks at it. Only someone who has the appropriate encryption key can decrypt the message, reversing the ciphertext back into plaintext. Data can be encrypted when it is stored and when it is in transmission.

For example, users can encrypt the data on their hard drive so that only the user with the encryption key can decipher the contents of the drive. Additionally, users can send an encrypted email message, which would prevent anyone from seeing the email contents while the message is moving through the network to reach the intended recipient. With encryption in transit (for example, when a website uses HTTPS), the communication between a user and a website is encrypted, so that outsiders, such as the user’s internet service provider, can only see the initial visit to the website, but not what the user communicates on that website, or the sub-pages that the user visits. For more information, see this resource: http://www.explainthatstuff.com/encryption.html.

Mobile ecosystem — The indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account.

Modifications to a mobile operating system — Changes made to the stock version of a mobile OS that may affect core functionality, the user experience, or the process of deploying software updates.The core functionality is the most essential functions or affordances of a product or service. For example, a smartphone’s core functionality would include sending and receiving phone calls, text messages, and emails, downloading and running apps, and accessing the internet.This applies to Android smartphones produced by companies other than Google.

Operating system (OS) — The software that supports a computer’s basic functions, such as scheduling tasks, executing applications, and controlling peripherals. A mobile operating system is the OS for a mobile device such as a smartphone or tablet.

Patch — A piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance of the computer program, application, or operating system.

Personal digital assistant ecosystem — A personal digital assistant (PDA) ecosystem consists of an artificial intelligence-powered interface installed on digital devices that can interact with users through text or voice to access information on the Internet and perform certain tasks with personal data shared by the users. Users can interact with PDA ecosystems through skills, which are either made available by third-party developers/providers or the PDA itself.

Security researcher — Someone who studies how to secure technical systems and/or threats to computer and network security in order to find a solution.

Security update — A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity: critical, important, moderate, or low.

Security vulnerability — A weakness which allows an attacker to reduce a system’s information assurance. A vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.

Software update — A software update (also sometimes called a software patch) is a free download for an application or software suite that provides fixes for features that aren’t working as intended or adds minor software enhancements and compatibility. An update can also include driver updates that improve the operation of hardware or peripherals, or add support for new models of peripherals.

Indicator guidance: Computer code is not perfect. When companies learn of vulnerabilities that could put users and their information at risk, they should take action to mitigate those concerns. This includes ensuring that people are able to share any vulnerabilities they discover with the company. We believe it is especially important for companies to provide clear policies to users about the manner and time period in which users will receive security updates. In addition, since telecommunications providers can alter open-source mobile operating systems, we expect these companies to disclose information that may affect a user’s ability to access these critical updates.

• Company privacy policies
• Company security guide
• Company “help” forums