We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Scottish Cyber Coordination Centre - vulnerability coordination: policy and procedure

Published
3 January 2025
From
Director of Digital
Directorate
Digital Directorate
Topic
Public safety and emergencies, Public sector
ISBN
9781836911869

Outlines the policy and procedure for Scottish Cyber Coordination Centre (SC3) to alert and, where appropriate, coordinate responses from the Scottish public sector organisations, to cyber-attacks that exploit a previously unknown vulnerability.

View supporting documents Supporting documents

SC3 Security Vulnerability Coordination Procedure

5.1 SC3 will seek to add value to its community by alerting organisations to the more serious security vulnerabilities, primarily identified via the Common Vulnerability Scoring System (CVSS) framework[4] , focussing on Critical severity vulnerabilities and those that the SC3 assesses as requiring attention as a matter of urgency i.e those that have been assessed as having a high probability of exploitation or are already known to have been exploited by threat actors.

5.2 The Common Vulnerability Scoring System (CVSS) is a framework for rating the severity of security vulnerabilities in software. Reported vulnerabilities are assessed, categorised and scored from 0 to 10 on the basis of their severity.

Severity Score
None 0.0
Low 0.1 - 3.9
Medium 4.0 - 6.9
High 7.0 - 8.9
Critical 9.0– 10.0

5.4 SC3 advise organisations to regularly monitor the CISA Known Exploited Vulnerability Catalog for all the known and exploited vulnerabilities and produce an assessment of vulnerabilities that have the greatest probability of exploitation. It is an organisation’s responsibility to be aware of risks to their technical assets and should have in place a security vulnerability management process, such as an Asset register, vulnerability scanning policy and patching regime to manage this.

5.4 SC3 monitors the CVSS the CISA Known Exploited Vulnerability Catalog and the Exploit Prediction Scoring System[5] to produce a weekly assessment of vulnerabilities including those with the greatest probability of exploitation. Using these resources SC3 will concern itself with notifying the Scottish Public Sector of;

A) Vulnerabilities assessed as having a Greatest probability of Exploitation, and those marked as Critical which are collated and disseminated in a weekly report. (available on the CISP Scottish Public Sector Group and in the SC3 daily bulletin email)

B) Vulnerabilities identified by the NCSC and or GC3 that may fall outside the above but are nevertheless identified as being worthy of notification and coordination will fall into the notification criteria and be disseminated as and when the SC3 receives notification.

Contact

Email: SC3@gov.scot

Back to top