1
/
of
6
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 30276-2020 English PDF (GB/T30276-2020)
GB/T 30276-2020 English PDF (GB/T30276-2020)
Regular price
$155.00 USD
Regular price
Sale price
$155.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 30276-2020
Historical versions: GB/T 30276-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 30276-2020: Information security technology -- Specification for cybersecurity vulnerability management
GB/T 30276-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 30276-2013
Information security technology - Specification for
cybersecurity vulnerability management
ISSUED ON: NOVEMBER 19, 2020
IMPLEMENTED ON: JUNE 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Cybersecurity vulnerability management process ... 6
5 Cybersecurity vulnerability management requirements ... 8
5.1 Vulnerability discovery and report ... 8
5.2 Vulnerability receipt ... 8
5.3 Vulnerability verification ... 9
5.4 Vulnerability disposal ... 11
5.5 Vulnerability release ... 13
5.6 Vulnerability tracking ... 13
6 Verification method ... 14
References ... 15
Information security technology - Specification for
cybersecurity vulnerability management
1 Scope
This Standard specifies the management process, management requirements
and verification methods for each stage of the cybersecurity vulnerability
management process (including vulnerability discovery and report, receipt,
verification, disposal, release, tracking).
This Standard applies to cybersecurity vulnerability management activities that
are carried out by provider of network products and services, network operator,
vulnerability repository organization, and vulnerability emergency response
organization.
2 Normative references
The following documents are indispensable for the application of this document.
For dated references, only the dated version applies to this document. For
undated references, the latest edition (including all amendments) applies to this
document.
GB/T 25069, Information security technology - Glossary
GB/T 28458-2020, Information security technology - Cybersecurity
vulnerability identification and description specification
GB/T 30279-2020, Information security technology - Guidelines for
categorization and classification of cybersecurity vulnerability
3 Terms and definitions
Terms and definitions determined by GB/T 25069, GB/T 28458-2020 and the
following ones are applicable to this document.
3.1 User
Individuals or organizations that use network products and services.
3.2 Provider of network products and services
Individuals or organizations that provide network products and services.
5 Cybersecurity vulnerability management
requirements
5.1 Vulnerability discovery and report
During the vulnerability discovery and report stage, the requirements are as
follows:
a) Requirements for vulnerability discoverers:
-- Under the premise of following relevant national laws and regulations,
use manual or automatic methods to detect and analyze the
vulnerability, and verify the authenticity of the vulnerability;
-- When implementing vulnerability discovery activities, the user's system
operation and data security shall not be affected or damaged; there
shall be no behavior that violates the business operation and data
security of other organizations in order to discover vulnerabilities;
-- When identifying potential vulnerabilities of network products or services,
proactively assess possible security risks;
-- Effective measures shall be taken to prevent leakage of vulnerability
information.
b) Requirements for vulnerability reporters:
-- After discovering vulnerabilities in the network or products and services,
the vulnerability information shall be reported in time;
-- When reporting vulnerabilities, the vulnerabilities shall be described
objectively and truthfully.
5.2 Vulnerability receipt
In the vulnerability receipt stage, the requirements are as follows:
a) Vulnerability reports shall be provided with vulnerability receiving channels,
such as websites, emails or telephones; measures shall be taken to
ensure the security and confidential receipt of vulnerability information;
b) A vulnerability receipt strategy shall be formulated and publicly released,
to facilitate vulnerability reporters to report vulnerabilities. The receipt
strategy includes but is not limited to vulnerability receipt range,
vulnerability receipt channel, vulnerability receipt requirements,
vulnerability receipt process;
-- If the reported vulnerability is found in a product or service that the
provider or network operator does not currently provide support, the
provider or network operator shall continue to complete the
investigation and vulnerability verification, and confirm the impact of the
vulnerability on other supported products or online services.
b) If it is the vulnerability repository organization that performs the verification:
-- After confirming that the vulnerability is received, coordinate the
verification of the vulnerability information in a timely manner. The
coordination method may include: inform the provider of the product or
service that is related to the vulnerability to verify and confirm; jointly
perform verification and confirmation with the provider or network
operator who is associated with the vulnerability; work with the
vulnerability reporter to jointly verify and confirm the vulnerability
information;
-- Reflect the vulnerability objectively and truthfully; do not mislead the
provider or network operator, vulnerability reporter who is associated
with the vulnerability;
-- After verification, notify the provider or network operator who is
associated with the vulnerability in time.
c) If it is the vulnerability emergency response organization that performs the
verification:
-- After confirming that the vulnerability is received, coordinate the
verification of the vulnerability information in a timely manner. The
coordination method may include: inform the provider of the product or
service who is related to the vulnerability to verify and confirm; jointly
perform verification and confirmation with the provider or network
operator who is associated with the vulnerability;
-- After verification, notify the provider or network operator who is
associated with the vulnerability in time.
d) When the following situations occur during the vulnerability verification
process, terminate the subsequent vulnerability management stage;
feedback to the vulnerability reporter:
-- Repeated vulnerability: The vulnerability is a repeated vulnerability, a
resolved or fixed vulnerability;
-- Unverifiable vulnerability: The vulnerability is a vulnerability that cannot
be verified by the provider, network operator, vulnerability repository
organization;
-- Inform the vulnerability reporters and users of the disposal measures of
the vulnerability in a timely manner; report to the vulnerability
emergency response organization when necessary;
-- Effective ways and convenient conditions shall be provided for users to
obtain patches, upgraded versions and temporary disposal suggestions;
-- Necessary technical support shall be provided to the affected users to
support them to complete the vulnerability repair;
-- The deeper reasons for the vulnerability should be investigated, to
determine whether other products or services have the same or similar
vulnerabilities.
b) Requirements for the vulnerability repository organization:
-- Cooperate with the vulnerability emergency response organization and
relevant network p...
Get QUOTATION in 1-minute: Click GB/T 30276-2020
Historical versions: GB/T 30276-2020
Preview True-PDF (Reload/Scroll if blank)
GB/T 30276-2020: Information security technology -- Specification for cybersecurity vulnerability management
GB/T 30276-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 30276-2013
Information security technology - Specification for
cybersecurity vulnerability management
ISSUED ON: NOVEMBER 19, 2020
IMPLEMENTED ON: JUNE 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Cybersecurity vulnerability management process ... 6
5 Cybersecurity vulnerability management requirements ... 8
5.1 Vulnerability discovery and report ... 8
5.2 Vulnerability receipt ... 8
5.3 Vulnerability verification ... 9
5.4 Vulnerability disposal ... 11
5.5 Vulnerability release ... 13
5.6 Vulnerability tracking ... 13
6 Verification method ... 14
References ... 15
Information security technology - Specification for
cybersecurity vulnerability management
1 Scope
This Standard specifies the management process, management requirements
and verification methods for each stage of the cybersecurity vulnerability
management process (including vulnerability discovery and report, receipt,
verification, disposal, release, tracking).
This Standard applies to cybersecurity vulnerability management activities that
are carried out by provider of network products and services, network operator,
vulnerability repository organization, and vulnerability emergency response
organization.
2 Normative references
The following documents are indispensable for the application of this document.
For dated references, only the dated version applies to this document. For
undated references, the latest edition (including all amendments) applies to this
document.
GB/T 25069, Information security technology - Glossary
GB/T 28458-2020, Information security technology - Cybersecurity
vulnerability identification and description specification
GB/T 30279-2020, Information security technology - Guidelines for
categorization and classification of cybersecurity vulnerability
3 Terms and definitions
Terms and definitions determined by GB/T 25069, GB/T 28458-2020 and the
following ones are applicable to this document.
3.1 User
Individuals or organizations that use network products and services.
3.2 Provider of network products and services
Individuals or organizations that provide network products and services.
5 Cybersecurity vulnerability management
requirements
5.1 Vulnerability discovery and report
During the vulnerability discovery and report stage, the requirements are as
follows:
a) Requirements for vulnerability discoverers:
-- Under the premise of following relevant national laws and regulations,
use manual or automatic methods to detect and analyze the
vulnerability, and verify the authenticity of the vulnerability;
-- When implementing vulnerability discovery activities, the user's system
operation and data security shall not be affected or damaged; there
shall be no behavior that violates the business operation and data
security of other organizations in order to discover vulnerabilities;
-- When identifying potential vulnerabilities of network products or services,
proactively assess possible security risks;
-- Effective measures shall be taken to prevent leakage of vulnerability
information.
b) Requirements for vulnerability reporters:
-- After discovering vulnerabilities in the network or products and services,
the vulnerability information shall be reported in time;
-- When reporting vulnerabilities, the vulnerabilities shall be described
objectively and truthfully.
5.2 Vulnerability receipt
In the vulnerability receipt stage, the requirements are as follows:
a) Vulnerability reports shall be provided with vulnerability receiving channels,
such as websites, emails or telephones; measures shall be taken to
ensure the security and confidential receipt of vulnerability information;
b) A vulnerability receipt strategy shall be formulated and publicly released,
to facilitate vulnerability reporters to report vulnerabilities. The receipt
strategy includes but is not limited to vulnerability receipt range,
vulnerability receipt channel, vulnerability receipt requirements,
vulnerability receipt process;
-- If the reported vulnerability is found in a product or service that the
provider or network operator does not currently provide support, the
provider or network operator shall continue to complete the
investigation and vulnerability verification, and confirm the impact of the
vulnerability on other supported products or online services.
b) If it is the vulnerability repository organization that performs the verification:
-- After confirming that the vulnerability is received, coordinate the
verification of the vulnerability information in a timely manner. The
coordination method may include: inform the provider of the product or
service that is related to the vulnerability to verify and confirm; jointly
perform verification and confirmation with the provider or network
operator who is associated with the vulnerability; work with the
vulnerability reporter to jointly verify and confirm the vulnerability
information;
-- Reflect the vulnerability objectively and truthfully; do not mislead the
provider or network operator, vulnerability reporter who is associated
with the vulnerability;
-- After verification, notify the provider or network operator who is
associated with the vulnerability in time.
c) If it is the vulnerability emergency response organization that performs the
verification:
-- After confirming that the vulnerability is received, coordinate the
verification of the vulnerability information in a timely manner. The
coordination method may include: inform the provider of the product or
service who is related to the vulnerability to verify and confirm; jointly
perform verification and confirmation with the provider or network
operator who is associated with the vulnerability;
-- After verification, notify the provider or network operator who is
associated with the vulnerability in time.
d) When the following situations occur during the vulnerability verification
process, terminate the subsequent vulnerability management stage;
feedback to the vulnerability reporter:
-- Repeated vulnerability: The vulnerability is a repeated vulnerability, a
resolved or fixed vulnerability;
-- Unverifiable vulnerability: The vulnerability is a vulnerability that cannot
be verified by the provider, network operator, vulnerability repository
organization;
-- Inform the vulnerability reporters and users of the disposal measures of
the vulnerability in a timely manner; report to the vulnerability
emergency response organization when necessary;
-- Effective ways and convenient conditions shall be provided for users to
obtain patches, upgraded versions and temporary disposal suggestions;
-- Necessary technical support shall be provided to the affected users to
support them to complete the vulnerability repair;
-- The deeper reasons for the vulnerability should be investigated, to
determine whether other products or services have the same or similar
vulnerabilities.
b) Requirements for the vulnerability repository organization:
-- Cooperate with the vulnerability emergency response organization and
relevant network p...
Share
