The global skills and competency framework for the digital world

Vulnerability research VURE

Conducting applied research to discover, evaluate and mitigate new or unknown security vulnerabilities and weaknesses.

Updates for SFIA 9

  • There is an updated version of this skill for SFIA 9.
  • Theme(s) influencing the updates for this skill: Include cryptography, Making SFIA easier to consume (new levels).
  • Added reference to cryptography
  • New level 2 added to support entry-level roles.
  • You can move to SFIA 9 when you are ready - SFIA 8 skill descriptions will still be available to use.
  • Previous SFIA assessments or skills mapping are not impacted by this change.

Guidance notes

A security vulnerability is a weakness, flaw or error found within a security system that has the potential to be leveraged by an external agent to compromise a secure system.

Activities may include — but are not limited to:

  • researching new threats, attack vectors, risks and potential solutions
  • reverse engineering hardware or software 
  • applying tools such as disassemblers, debuggers and fuzzers 
  • analysing embedded devices
  • developing techniques and tools to analyse and expose vulnerabilities
  • designing new vulnerability discovery techniques
  • sharing mitigation techniques with relevant stakeholders.

Levels of responsibility for this skill

3 4 5 6

Vulnerability research: Levels 1-2

This skill is not typically observed or practiced at these levels of responsibility and accountability.

Vulnerability research: Level 3

Applies standard techniques and tools for vulnerability research.

Uses available resources to update knowledge of relevant specialism.

Participates in research communities.

Analyses and reports on activities and results.

Vulnerability research: Level 4

Designs and executes complex vulnerability research activities.

Specifies requirements for environment, data, resources and tools to perform assessments.

Reviews test results and modifies tests if necessary. Creates reports to communicate methodology, findings and conclusions. Advises on deception methods by exploiting identified patterns.

Makes an active contribution to research communities.

Vulnerability research: Level 5

Plans and manages vulnerability research activities.

Maintains a strong external network in the area of vulnerability research. Gathers information on new and emerging threats and vulnerabilities.

Assesses and documents the impacts and threats to the organisation. Creates reports and shares knowledge and insights with stakeholders.

Providing expert advice and guidance to support the adoption of tools and techniques for vulnerability research. Contributes to the development of organisational policies, standards, and guidelines for vulnerability research and assessment.

Vulnerability research: Level 6

Plans and leads the organisation’s approach to vulnerability research.

Identifies new and emerging threats and vulnerabilities. Maintains a strong external network. Takes a leading part in external-facing professional activities to facilitate information gathering and set the scope of research work.

Engages with, and influences, relevant stakeholders to communicate results of research and the required response.

Develops organisational policies and guidelines for monitoring emerging threats and vulnerabilities.

Vulnerability research: Level 7

This skill is not typically observed or practiced at this level of responsibility and accountability.