When a vulnerability is discovered, what is the appropriate approach to communicating risk?

Prepare for the Code Standards and Practices Level 1 Test. Test yourself with multiple choice questions, flashcards, and explanations. Ensure success with our comprehensive study materials!

Multiple Choice

When a vulnerability is discovered, what is the appropriate approach to communicating risk?

Explanation:
When a vulnerability is found, the goal of communicating risk is to get the right people informed so they can act quickly and effectively. Sharing the risk with stakeholders—such as product owners, developers, IT and security teams, legal, and leadership—helps everyone understand the potential impact, the likelihood of exploitation, and what actions are needed. This enables proper triage, prioritization, and allocation of resources for mitigation, patching, or compensating controls, and supports a coordinated response plan. Coordinated disclosure often follows a responsible approach: inform those who can fix the issue first, and only consider broader public communication once a fix or workaround is ready. Disclosing publicly before patching can invite attackers to exploit the vulnerability, while keeping details entirely secret or limited to internal chats delays remediation and increases risk. Communicating risk to stakeholders balances transparency with practicality, driving timely and effective risk reduction.

When a vulnerability is found, the goal of communicating risk is to get the right people informed so they can act quickly and effectively. Sharing the risk with stakeholders—such as product owners, developers, IT and security teams, legal, and leadership—helps everyone understand the potential impact, the likelihood of exploitation, and what actions are needed. This enables proper triage, prioritization, and allocation of resources for mitigation, patching, or compensating controls, and supports a coordinated response plan.

Coordinated disclosure often follows a responsible approach: inform those who can fix the issue first, and only consider broader public communication once a fix or workaround is ready. Disclosing publicly before patching can invite attackers to exploit the vulnerability, while keeping details entirely secret or limited to internal chats delays remediation and increases risk. Communicating risk to stakeholders balances transparency with practicality, driving timely and effective risk reduction.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy