Vulnerability disclosure has become the focus of attention of cybersecurity experts engaged in strengthening the cybersecurity resilience of the European Union. The valid source of concern comes from the cybersecurity threats looming behind vulnerabilities, as demonstrated by the impact of the Log4Shell vulnerability.
Security researchers and ethical hackers constantly scrutinise ICT systems – both open source and commercial closed source software – to find weaknesses, misconfigurations, software vulnerabilities, etc. A wide range of issues are thus revealed: weak passwords, fundamental cryptographic flaws or deeply nested software bugs.
Identifying vulnerabilities is therefore essential if we want to prevent attackers from exploiting them. It is important to consider that attackers can always develop malware specially designed to exploit vulnerabilities disclosed to the public. Besides the identification itself, vendors can also be reluctant to acknowledge vulnerabilities as their reputation might be damaged as a consequence.