Vulnerability Management for Media Companies and Media System Vendors

EBU R 160

EBU R160 version 2 describes a procedure for effective detection and remediation of observed vulnerabilities in media systems. It aligns with vulnerability management best practices in the IT world, including CVE process for the unique identification and scoring of vulnerabilities.

Open file (pdf, 0.2 MB)

Email me a link






R160 has been extensively revised to address recommendations to Media Companies before and after Media Product purchase, and to Vendors before and after Product release, for security scans and tests and Vulnerability management.

The procedure is designed to allow Media Companies and Media System vendors to respond in a timely and accountable fashion to observed Vulnerabilities in Products, leading toward a more secure media industry overall.

The EBU recommends that media companies confronted with critical vulnerabilities in their media equipment adopt the procedure ("EBU R160 Procedure", annexed to R160) and establish a close collaboration with the concerned system vendor(s).

New, alongside this updated Recommendation is R160 Supplement 1 that contains detailed Security Testing Guidelines for performing vulnerability assessments of broadcast equipment (Device under test - DuT). It outlines:

  • Basic tests (mostly automated) that should be performed for every DuT to ensure a minimal security baseline.
  • Advanced tests for in-depth and manual analysis of possible vulnerabilities. They should be performed if the DuTs Threat-and-Risk Assessment shows higher risk and/or is business-critical, as well as subject to available resources.

Keywords: Cybersecurity, Media Systems, Vulnerability, Vendor, Vulnerabilities, CVE, CVSS, CAN.

All versions of this publication

Version   Date   Short description
R160v1   2019   First version