□ Security Vulnerability Discovery. Following their responsibility to reinforce financial security of South Korea, the FSI is unearthing security vulnerabilities from diverse softwares and solutions implemented in the financial landscape.
□ Computer Emergency Response Team(CERT). Pursuant to legal mandates as a incident response organization of South Korean financial industry, the institute operates as a CERT and provides professional services across various fields.
□ Vulnerability Management System Development. FSI aims to fortify security of South Korean electronic financial services. Thus, the institute is establishing a vulnerability management system which covers softwares and solutions commonly applicated in the financial industry.
□ Reported vulnerabilities are going to be utilized in the context of impact · risk assessment and product development(security update development) to mitigate the vulnerabilities.
□ The disclosure of a vulnerability, even after it is reported, is prohibited thoroughly. The prohibition extends to third party companies(including the manufacturer) other than the FSI.
□ If there is no clear evidence of public disclosure(including active exploitation) before an official release of vulnerabilities, stakeholders should provide sufficient confidentiality period to vendors. The vendors are strongly recommended to research and patch the vulnerabilities during the period. After mitigations are developed and applied, information of the vulnerabilities shall be disclosed in accordance with intercompany negotiations.
□ Legal ramifications may arise if following occurs:
1. Contents of the report are factually inaccurate.
2. Vulnerability is disclosed to third party companies(including the manufacturer) other than the FSI.
3. The confidentiality obligation is violated.
□ Acquisition: Receiving vulnerabilities through in-house research, bug bounty, interagency sharing, and etc.
□ Analysis: Analyzing vulnerabilities in the context of determining whether it is new, estimating the amount of its impact, and etc based on notifications from reporters. The notifications can be submitted in the form of whitepaper, via email, and others.
□ Response: Requesting for mitigations to manufactureres and developing · validating security patch. In the event of vulnerabilities in foreign products, delivering vulnerability information to the nation's CERT or related manufacturers will be conducted.
□ Sharing: Sharing information with related organizations and issuing security alerts in public about the vulnerabilities determined as having severe impact on domestic financial industry.
(Sharing) For private companies, public agencies or educational institutions which have applied those vulnerable products, the FSI will share information with them.
(Issuing) For scenarios with widespread civilian utilization, security emergency alert will be raised in public regarding magnitude of damage and degree of risk.