{"id":8338,"date":"2020-05-20T14:13:39","date_gmt":"2020-05-20T11:13:39","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=8338"},"modified":"2020-05-20T14:13:39","modified_gmt":"2020-05-20T11:13:39","slug":"vulnerability-disclosure-ethics","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/vulnerability-disclosure-ethics\/8338\/","title":{"rendered":"G\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n a\u00e7\u0131klamas\u0131nda etik ilkeler"},"content":{"rendered":"

Herhangi bir kompleks BT sistemi, yaz\u0131l\u0131m\u0131 veya donan\u0131m\u0131 geli\u015ftirilirken hatalar ve g\u00fcvenlik a\u00e7\u0131klar\u0131 olu\u015fmas\u0131 neredeyse ka\u00e7\u0131n\u0131lmazd\u0131r. Bu hatalar genellikle yaz\u0131l\u0131m\u0131 veya donan\u0131m\u0131 \u00fcreten \u015firketin \u00e7al\u0131\u015fanlar\u0131 ve teknik uzmanlar\u0131 taraf\u0131ndan de\u011fil, d\u0131\u015f ara\u015ft\u0131rmac\u0131lar taraf\u0131ndan bulunur. Bu hatalar\u0131 ve potansiyel a\u00e7\u0131klar\u0131 ortadan kald\u0131rmak, ara\u015ft\u0131rmac\u0131lar\u0131m\u0131z\u0131n ve uzmanlar\u0131m\u0131z\u0131n da \u00fczerinde \u00e7al\u0131\u015ft\u0131\u011f\u0131 g\u00fc\u00e7l\u00fc siber g\u00fcvenli\u011fin temelini olu\u015fturmaktad\u0131r. Bu nedenle, hatalar\u0131n ve yanl\u0131\u015fl\u0131klar\u0131n as\u0131l kayna\u011f\u0131 olan insanlar, do\u011fru zamanda tespit ve d\u00fczeltme i\u015flemleri i\u00e7in de kilit fakt\u00f6r rol\u00fcndedir. Ayn\u0131 zamanda, s\u00f6z konusu hata d\u00fczeltme s\u00fcrecinin, sorunu ortadan kald\u0131rmak yerine yeni riskler ve hatalar yaratabilece\u011fi potansiyelini ta\u015f\u0131d\u0131\u011f\u0131n\u0131 da g\u00f6z \u00f6n\u00fcnde bulundurmak \u00f6nemlidir.<\/p>\n

Biz Kaspersky olarak, di\u011fer kurulu\u015flar\u0131n sistemlerinde g\u00fcvenlik a\u00e7\u0131klar\u0131 buldu\u011fumuzda izledi\u011fimiz s\u00fcre\u00e7 olan sorumlu g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n a\u00e7\u0131klanmas\u0131 (RVD) s\u00fcrecinde a\u00e7\u0131k ve \u015feffaf etik ilkelere ba\u011fl\u0131y\u0131z. Sahip oldu\u011fumuz be\u015f ilke, 23 y\u0131l\u0131 a\u015fk\u0131n k\u00fcresel \u00e7al\u0131\u015fmalar\u0131m\u0131za dayan\u0131yor ve en iyi uygulamalardan ve \u00f6zellikle Olay M\u00fcdahale ve G\u00fcvenlik Ekipleri Forumu (FIRST) Davran\u0131\u015f Kurallar\u0131<\/a>\u2018ndan ilham almaya devam ediyoruz. Her ko\u015fulda, kullan\u0131c\u0131lar\u0131m\u0131z\u0131n (Kaspersky \u00fcr\u00fcnlerini ve \u00e7\u00f6z\u00fcmlerini kullanan ki\u015fi ve kurulu\u015flar\u0131n) g\u00fcvenli\u011fine b\u00fcy\u00fck \u00f6nem veriyoruz.<\/p>\n

Ayn\u0131 zamanda, ilgili t\u00fcm taraflar\u0131n \u00e7\u0131karlar\u0131na da sayg\u0131 duyuyoruz: \u00dcr\u00fcn\u00fcnde g\u00fcvenlik a\u00e7\u0131\u011f\u0131 bulunan ki\u015filer veya kurulu\u015flar, onlar\u0131n m\u00fc\u015fterileri (potansiyel kurbanlar) ve bir b\u00fct\u00fcn olarak siber g\u00fcvenlik end\u00fcstrisi.<\/p>\n

\u0130lkelere uygun hareket edilmesi, daha g\u00fcvenli bir bilgi ve ileti\u015fim teknolojisi (ICT) ekosistemi olu\u015fturmak ad\u0131na \u015feffaf<\/a>, sorumlu ve tutarl\u0131 bir \u015fekilde hareket etmemizi sa\u011fl\u0131yor. Bununla birlikte, bu gibi bir yakla\u015f\u0131m\u0131n t\u00fcm BT end\u00fcstrisinde var olabilmesi i\u00e7in, di\u011fer sa\u011flay\u0131c\u0131lar\u0131n ve bunlara ba\u011fl\u0131 kullan\u0131c\u0131lar\u0131n\u0131n, ba\u011f\u0131ms\u0131z ara\u015ft\u0131rmac\u0131lar\u0131n, d\u00fczenleyici kurumlar\u0131n ve di\u011fer ilgili taraflar\u0131n da yol g\u00f6sterici olarak bu gibi bir hedef belirlemesi gerekiyor. Bu nedenle, di\u011fer \u015firketlerin yaz\u0131l\u0131mlar\u0131nda bulunan g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n sorumlu bir \u015fekilde a\u00e7\u0131klanmas\u0131 i\u00e7in ilkelerimizi yay\u0131nlamaya karar\u0131 ald\u0131k. \u00d6nc\u00fc kolda yer al\u0131yoruz.<\/p>\n

\"\"<\/p>\n

1. \u0130lke: G\u00fcven olu\u015fturun<\/h2>\n

Bilgi g\u00fcvenli\u011finin temelinde belirli d\u00fczeyde bir g\u00fcvensizlik yer al\u0131r. Ancak g\u00fcven olu\u015fmad\u0131\u011f\u0131 s\u00fcrece g\u00fcvenlik a\u00e7\u0131\u011f\u0131 a\u00e7\u0131klamalar\u0131 da i\u015fe yaramayacakt\u0131r; bu nedenle, \u201cg\u00fcven duy ancak do\u011frula\u201d yakla\u015f\u0131m\u0131 do\u011frultusunda tabii ki eylemlerin koordine edilmesi ve g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n zarara sebep olmamas\u0131 i\u00e7in zaman ve \u00e7aba harcasak da taraflar\u0131n temel motivasyonun kar\u015f\u0131l\u0131kl\u0131 yard\u0131mla\u015fma oldu\u011funu varsay\u0131yoruz. G\u00fcvenlik a\u00e7\u0131klar\u0131 hakk\u0131nda bilgileri a\u00e7\u0131klarken amac\u0131m\u0131z e\u011flence ya da rekabetten ziyade kullan\u0131c\u0131lar\u0131n ve toplumun \u00e7\u0131karlar\u0131n\u0131 korumak ve g\u00fcvenli\u011fi sa\u011flamakt\u0131r.<\/p>\n

2. \u0130lke: \u00d6ncelikle etkilenen taraf\u0131 bilgilendirin<\/h2>\n

G\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n a\u00e7\u0131klanmas\u0131, yan\u0131t vermeyen ve hatta ula\u015f\u0131lamayan kat\u0131l\u0131mc\u0131lar gibi bir\u00e7ok engelle kar\u015f\u0131la\u015fabilece\u011finiz karma\u015f\u0131k bir s\u00fcre\u00e7tir. Bu t\u00fcr sorunlara ra\u011fmen, etkilenen sa\u011flay\u0131c\u0131lara do\u011fru zamanda ve kesin bilgi vermek kritik bir \u00f6nem bir ta\u015f\u0131r. \u0130lk olarak, g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131 ortadan kald\u0131rma ve kullan\u0131c\u0131 riskini en aza indirme \u00e7al\u0131\u015fmalar\u0131n\u0131 ortak \u015fekilde koordine ediyoruz. Bunun i\u00e7in de, sa\u011flay\u0131c\u0131n\u0131n g\u00fcvenlik a\u00e7\u0131klar\u0131 hakk\u0131ndaki bilgileri raporlamak ve i\u015flemek i\u00e7in a\u00e7\u0131k ve \u015feffaf bir yol sunmas\u0131 gereklidir (bu s\u00fcrecin Kaspersky i\u00e7erisinde nas\u0131l y\u00fcr\u00fct\u00fcld\u00fc\u011f\u00fc hakk\u0131nda daha fazla bilgi i\u00e7in burada<\/a> ve burada<\/a> yer alan ba\u011flant\u0131lara g\u00f6z atabilirsiniz).<\/p>\n

3. \u0130lke: G\u00f6sterilen \u00e7abalar\u0131 koordine edin<\/h2>\n

Herkes\u00e7e bilindi\u011fi \u00fczere, her g\u00fcvenlik a\u00e7\u0131\u011f\u0131 birbirinden t\u00fcm\u00fcyle farkl\u0131d\u0131r. Baz\u0131lar\u0131 tek bir \u00fcr\u00fcn\u00fcn kullan\u0131c\u0131lar\u0131n\u0131 tehdit ederken di\u011ferleri birden fazla taraf\u0131 etkileyebilir (\u00f6rne\u011fin, karma\u015f\u0131k tedarik zincirlerine sahip uluslararas\u0131 \u015firketlerin yer ald\u0131\u011f\u0131 vakalarda). G\u00fcvenlik a\u00e7\u0131klar\u0131, kritik altyap\u0131y\u0131 ve kamu sekt\u00f6r\u00fc a\u011flar\u0131n\u0131 da etkileyebilir; ulusal g\u00fcvenli\u011fi dahi tehdit edebilir. Ayn\u0131 zamanda, ilgili taraflar yaln\u0131zca ara\u015ft\u0131rmac\u0131lar ve tedarik\u00e7iler de\u011fildir; d\u00fczenleyici kurumlar, m\u00fc\u015fteriler, ba\u011f\u0131ms\u0131z ara\u015ft\u0131rmac\u0131lar ve beyaz \u015fapkal\u0131 hackerlar da s\u00fcrece dahil olabilir. T\u00fcm payda\u015flar aras\u0131nda etkin koordinasyon i\u00e7in en iyi uluslararas\u0131 uygulamalar\u0131 rehber kabul ederiz (\u00f6rne\u011fin, g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n a\u00e7\u0131klanmas\u0131nda ISO\/IEC 29147:2018 standard\u0131<\/a>). \u00d6zellikle, t\u00fcm kat\u0131l\u0131mc\u0131lara kapsaml\u0131 bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 analizi ve iyile\u015ftirme geli\u015ftirme i\u00e7in yeterli bir s\u00fcre sa\u011flamaya \u00e7al\u0131\u015f\u0131yoruz.<\/p>\n

4. \u0130lke: Uygun olan noktada gizlili\u011fi koruyun<\/h2>\n

Bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131yla ilgili teknik bilgiler i\u015flemin \u00e7ok erken bir d\u00f6neminde ortaya \u00e7\u0131karsa, sald\u0131rganlar bundan faydalanabilir. Bu nedenle, azaltma \u00f6nlemleri geli\u015ftirmesi ve ard\u0131ndan raporlama i\u00e7in en g\u00fcvenilir ve g\u00fcvenli ileti\u015fim kanallar\u0131 \u00fczerinden \u00e7al\u0131\u015fmas\u0131 gereken taraflarla bilgileri gizli bir \u015fekilde payla\u015f\u0131yoruz. Ayn\u0131 nedenden dolay\u0131, a\u00e7\u0131klama h\u00fck\u00fcm ve ko\u015fullar\u0131n\u0131 sa\u011flay\u0131c\u0131yla m\u00fczakere ederiz. Bununla birlikte, bir sa\u011flay\u0131c\u0131dan yan\u0131t alamazsak, g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n ciddiyetine, \u00f6l\u00e7e\u011fine ve riskin aciliyetine ba\u011fl\u0131 olarak, a\u00e7\u0131klamay\u0131 kendi ileti\u015fim kanallar\u0131m\u0131z \u00fczerinden i\u00e7 politikalar\u0131m\u0131za, yerel d\u00fczenlemelere ve end\u00fcstrinin en iyi uygulamalar\u0131na uygun \u015fekilde a\u00e7\u0131klar\u0131z ve bu s\u00fcre\u00e7te sa\u011flay\u0131c\u0131y\u0131 bilgilendirmeye devam ediyoruz.<\/p>\n

5. \u0130lke: \u0130stenen davran\u0131\u015f\u0131 te\u015fvik edin<\/h2>\n

Sekt\u00f6rdeki \u00e7abalara kar\u015f\u0131n, siber su\u00e7lular g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 aramaya ve bulmaya devam ediyor. Bu nedenle, g\u00fcvenlik a\u00e7\u0131klar\u0131 hakk\u0131nda sorumlu bir \u015fekilde rapor veren ve sorumlu bir a\u00e7\u0131klama yapmak i\u00e7in sekt\u00f6rdeki en iyi uygulamalara uygun hareket eden herkesi a\u00e7\u0131k\u00e7a desteklemenin \u00f6nem arz etti\u011fini oldu\u011funu d\u00fc\u015f\u00fcn\u00fcyoruz.<\/p>\n

G\u00fcvenlik a\u00e7\u0131\u011f\u0131 a\u00e7\u0131klamas\u0131n\u0131 korumak<\/h2>\n

T\u00fcm taraflar benzer etik ilkelere ba\u011fl\u0131 kald\u0131klar\u0131 s\u00fcrece, ICT ekosistemini sadece daha g\u00fcvenli de\u011fil, ayn\u0131 zamanda kullan\u0131c\u0131lar\u0131m\u0131z, yani \u00e7al\u0131\u015ft\u0131\u011f\u0131m\u0131z insanlar i\u00e7in daha sa\u011fl\u0131kl\u0131 ve \u00f6ng\u00f6r\u00fclebilir hale getirmek i\u00e7in birlikte \u00e7al\u0131\u015fabilece\u011fimize inan\u0131yorum.<\/p>\n

K\u00fcresel Bilgi \u015eeffafl\u0131\u011f\u0131 Giri\u015fimi sayfas\u0131<\/a> \u00fczerinden RVD Etik \u0130lkeleri hakk\u0131nda<\/a> daha fazla bilgi alabilirsiniz.<\/p>\n","protected":false},"excerpt":{"rendered":"

Bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 a\u00e7\u0131klamas\u0131n\u0131n \u00e7\u00f6zd\u00fc\u011f\u00fcnden daha fazla soruna neden olmamas\u0131n\u0131 sa\u011flamak birka\u00e7 etik ilke \u00f6nerisinde bulunaca\u011f\u0131z. <\/p>\n","protected":false},"author":2597,"featured_media":8339,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1726,1194],"tags":[503,790,2198],"class_list":{"0":"post-8338","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-enterprise","8":"category-business","9":"tag-guvenlik-acigi","10":"tag-guvenlik-aciklari","11":"tag-rvd"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/vulnerability-disclosure-ethics\/8338\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/vulnerability-disclosure-ethics\/21319\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/vulnerability-disclosure-ethics\/16785\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/vulnerability-disclosure-ethics\/22348\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/vulnerability-disclosure-ethics\/20510\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/vulnerability-disclosure-ethics\/18812\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/vulnerability-disclosure-ethics\/22734\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/vulnerability-disclosure-ethics\/21759\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/vulnerability-disclosure-ethics\/28424\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/vulnerability-disclosure-ethics\/35581\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/vulnerability-disclosure-ethics\/14915\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/vulnerability-disclosure-ethics\/15203\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/vulnerability-disclosure-ethics\/13472\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/vulnerability-disclosure-ethics\/24004\/"},{"hreflang":"zh","url":"https:\/\/www.kaspersky.com.cn\/blog\/vulnerability-disclosure-ethics\/11463\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/vulnerability-disclosure-ethics\/25429\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/vulnerability-disclosure-ethics\/22319\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/vulnerability-disclosure-ethics\/27607\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/vulnerability-disclosure-ethics\/27440\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/guvenlik-aciklari\/","name":"g\u00fcvenlik a\u00e7\u0131klar\u0131"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8338","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/2597"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=8338"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8338\/revisions"}],"predecessor-version":[{"id":8341,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/8338\/revisions\/8341"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/8339"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=8338"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=8338"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=8338"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}