|
|
|
|
|
|
by Jensson
981 days ago
|
|
|
Not sure what you mean, if you know you have an actively exploited vulnerability then what more investigation would you need to do in a few hours? This law only talks about actively exploited vulnerabilities, if you find a bug and go home for the weekend without fixing it that should be fine since that bug isn't actively exploited. Edit: Point is, once you have done the investigation necessary to know that it is actively exploited you already have a ton of understanding about the problem. I don't see why you would need more than 24 hours at that point just to write a report to affected actors. |
|
|
Once you discover that it's happening, you know there is an exploit so you know at least that the vulnerability exists. The discovery probably tells you something about the vulnerability, but how much? The last one I heard about in any detail was discovered when they noticed that an uplink was at 100% utilisation and realised that it was due to data being exfiltrated. That didn't tell them much about how the intruder gained the ability to exfiltrate the data.
Do you know enough to describe it? I know enough, but you're the one who's required to write a notification. Can you describe the vulnerability that's the subject of your notification?