Company

From Discovery to Disclosure: Managing a Cybersecurity Vulnerability

July 08, 2025 19 min read by Grant Gallacher

Low-angle view of a modern white residential building with balconies and a central glass section against a blue sky.

How retrofit projects improve the resident experience

Graphic showing “Total Cost of Ownership” with TCO badge, stacked coins, and flowing red and blue wave lines.

Why the total cost of ownership matters in access control

Historic light‑colored residential building with decorative balconies and green shutters photographed from below.

Five common mistakes when changing access control systems

No system is ever 100% secure.

This statement has held true for over 40 years and is more relevant today than ever before. Even with well-trained users and security-focused development, new vulnerabilities will always emerge — sometimes in unexpected ways — highlighting the ongoing importance of cybersecurity awareness.

Vulnerability management is not just the responsibility of manufacturers but a shared effort involving system integrators, ethical hackers, and security researchers. Anyone might come across security flaws in any system. The question is: What should they do next — and how should the company behave?

Identifying a vulnerability

A vulnerability in cyber security can take many forms, including:

Software and firmware vulnerabilities: Outdated or insecure code introduces severe security risks (unpatched vulnerabilities, hardcoded backdoors, improper update mechanisms).
Network security and communication weaknesses: Unprotected network traffic can be intercepted and manipulated by attackers (unencrypted communication, man-in-the-middle, weak encrypted algorithms).
Authentication and access control vulnerabilities: Weak authentication mechanisms can allow unauthorized access to the system (default password, brute-force vulnerability, lack of multi-factor authentication).
Hardware and configuration vulnerabilities: Poorly configured devices create an easy entry point for cybercriminals (insecure default settings, exposed admin interface).
Human factor: Manipulating individuals into performing actions or divulging confidential information (phishing, social engineering). This is why employee cybersecurity awareness training is essential—ensuring staff can recognise and respond appropriately to potential threats.

Regardless of how you discover the vulnerability — whether during installation, system operation, security testing, or a penetration test — it’s critical to handle it responsibly.

Responsible reporting: What to do next

The first and most important step after identifying a vulnerability is to report it directly to the manufacturer and coordinate disclosing it publicly after its mitigation. Responsible manufacturers have a clear cybersecurity vulnerability management process in place, which typically includes:

A dedicated security contact email address, reporting form, or ticketing system — most companies provide a way to submit vulnerabilities securely. At 2N, for example, we have a public Vulnerability Management Policy and an official reporting channel on 2N.com.

Coordinated disclosure agreements — security researchers often work with manufacturers under an agreed timeline before vulnerabilities become public.

What NOT to do:

Do not assume someone else will report it. If you see something, say something.

Avoid publicly disclosing the vulnerability until the affected organization has had sufficient time to fix it.

Do not share details of the vulnerability with unauthorized individuals or entities.

What is a vulnerability disclosure program?

A responsible manufacturer will likely follow a vulnerability disclosure program framework and, as such, take the following steps:

Acknowledgment: The company confirms receipt of the report and provides an initial assessment.
Investigation & risk analysis: Security experts assess the severity of the vulnerability, evaluate how easily it can be exploited, and determine the most effective mitigation strategies. Additionally, all parties should agree on a timeline for releasing a fix and the subsequent public disclosure of the vulnerability.
Developing a fix: The manufacturer works on a security patch to resolve the issue.
Security vulnerability testing & verification: The fix must be tested to ensure it properly resolves the vulnerability without introducing new problems.
Public disclosure and CVE assignment: During mutual communication, parties should agree on assigning a CVE (Common Vulnerabilities and Exposures) ID to make the vulnerability public knowledge once a fix is available.

What are CVE and CNA?

CVE (Common Vulnerabilities and Exposures) is an industry-standard system that tracks and names security vulnerabilities. Each CVE entry includes severity, CVSS score, affected products, and patch availability.

CNA (CVE Numbering Authority) is an organization authorized to assign CVE IDs. Some major manufacturers, including Axis, Cisco, and Honeywell, act as CNAs.

What happens if vulnerabilities are ignored?

Once the security patch is released, system integrators and IT teams must act quickly to apply updates. Delaying updates leaves systems vulnerable to exploitation.

An example of what happens when cybersecurity vulnerabilities are ignored:

The Equifax data breach (2017): A known Apache Struts vulnerability (CVE-2017-5638) was not patched in time, resulting in the exposure of 147 million records, including Social Security numbers in the US. The breach led to a $700 million fine and irreparable damage to the company’s reputation.

This case underlines a crucial lesson: Identifying vulnerabilities is not enough — rapid response and transparent communication are key.

Why partner with transparent manufacturers?

Partnering with manufacturers that follow strong vulnerability disclosure practices benefits everyone involved:

To protect your clients: Customers expect secure, up-to-date systems. Working with vendors who release timely updates ensures long-term protection and trust.

To strengthen your expertise: Knowing how to respond to a vulnerability in cyber security makes you a more valuable integrator — and opens up new service opportunities, like maintenance contracts and update packages.

To ensure vendor responsibility: Responsible vendors provide clear guidance, early warnings, and security advisories — including public vulnerability policies and transparent communication.

Cybersecurity is a shared responsibility

We’ve come full circle: no system will ever be 100% secure, and vulnerabilities will always arise. But with responsible reporting, proactive security vulnerability testing, and transparent collaboration between manufacturers and integrators, risks can be mitigated — and trust can be built.

Whether you’re an integrator, developer, or security researcher, your role in cybersecurity matters. And understanding how to manage vulnerabilities is one of the most important skills you can build.

Want to go deeper?

Download our cybersecurity eBook to learn more about vulnerabilities, secure development, and how to protect your systems from evolving threats.

Download our eBook

Most popular Articles of the Category