Global Vulnerability Policy Map
Select from the dropdown
Click the map or select from the dropdown
Key
Required
Recommended
Announced but not yet implemented
Policy
Jurisdiction
France
Region
Europe
Requirement
Required
Policy
Law for a Digital Republic
Applies to
ANSSI (French government agency)
Provision
Article 47
Description
Creates a safe harbor for vulnerability reporters if they are acting in good faith, and if they report it to ANSSI exclusively.
Date
October 2016
Organization
Congrès du Parlement
Jurisdiction
Lithuania
Region
Europe
Requirement
Required
Policy
Cyber Security Law of the Republic of Lithuania No. XII-1428 Law amending Articles 1, 2, 6, 8, 9, 13, the title of Chapter V, the appendix and supplementing the Law with Article 17 and Chapter VI
Applies to
Reporters of Vulnerabilities
Provision
Article 8 (Adding Article 17)
Description
Provides a definition for what constitutes the legitimate disclosure of a vulnerability by a private person; it also determines the following restrictions:
1. The operation, functionality, services and data availability or integrity of the communication and information system may not be disrupted or altered.
2. When a vulnerability is identified, the search activity is terminated.
3. Within 24 hours of the start of the search activity, information on search results must be submitted to the NCSC under the Ministry of National Defence or CSE.
4. It is not unnecessarily sought to validate, monitor, record, intercept, acquire, store, disclose, copy, modify, corrupt, delete, destroy data managed by a cybersecurity entity.
5. No attempts are made to guess passwords. Passwords obtained illegally are not used and employees of the CSE or other persons who have the right to use non-public information relevant to the search for loopholes are not exploited or manipulated in order to obtain the information.
6. Information about the detected vulnerability is shared only with the NCSC under the Ministry of National Defence or CSE and made public according to the amendment.
Date
June 2021
Organization
Ministry of National Defense
Jurisdiction
People's Republic of China
Region
Asia/Pacific
Requirement
Required
Policy
Regulations on the Management of Security Vulnerabilities in Network Products
Applies to
Network product providers, network operators and network product security vulnerability collection platforms
Provision
Article 5, Article 6
Description
Article 5: Network product providers, network operators and network product security vulnerability collection platforms shall establish and improve channels for receiving network product security vulnerability information and keep them open, and retain network product security vulnerability information receiving logs for no less than 6 months.
Article 6: "Encourages relevant organizations and individuals to report security vulnerabilities in their products to network product providers" and "Encourage network product providers to establish a reward mechanism for security vulnerabilities in the network products they provide, and reward organizations or individuals who discover and report security vulnerabilities in the network products they provide."
Date
July 2021
Organization
Ministry of Industry and Information Technology
Jurisdiction
United Kingdom
Region
Europe
Requirement
Required
Policy
Product Security and Telecommunications Infrastructure (PSTI) Act
Applies to
Manufacturers, importers and distributors of consumer connectable products in the UK
Provision
Part 1, Chapter 2, Sec. 8 of the PSTI Act & PSTI Regulations 2023, Schedules 1 and 2
Description
The Product Security and Telecommunications Infrastructure Act 2022, Chapter 1 allows the Secretary of State to specify security requirements for connected devices.
PSTI Regulations 2023, Schedule 1, 2 requires that connected device manufacturers:Provide publicly available information on how to report security issues and publish in English at least one point of contact for security issues relating to their products (hardware or software), including when notifiers will receive acknowledgments and status updates, in an accessible, clear and transparent way, without any prior request for personal information.
Date
April 29, 2024
Organization
UK Parliament
Jurisdiction
United States
Region
North America
Requirement
Required
Policy
IoT Cybersecurity Improvement Act 2020
Applies to
Federal agencies and contractors providing IoT devices to the Federal government
Provision
Sec. 5, Sec. 6, Sec. 7
Description
Section 5: (Guidelines on the Disclosure Process for Security Vulnerabilities Relating to Information Systems, Including IOT Devices) NIST must create guidelines "(1) for the reporting, coordinating, publishing, and receiving of information about—(A) a security vulnerability relating to information systems owned or controlled by an agency (including Internetof Things devices owned or controlled by an agency); and B) the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on—(A) receiving information about a potential security vulnerability relating to the information system; and (B) disseminating information about the resolution of a security vulnerability relating to the information system."
Section 6: (Implementation of Coordinated Disclosure of Security Vulnerabilities Relating to Agency Information Systems, Including IOT Devices) Federal agencies—in collaboration with OMB—must develop "policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems". These programs should be consistnet with NIST guidelines and standards. Moreover, "the Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section."
Section 7: (Contractor Compliance With Coordinated Disclosure of Security Vulnerabilities Relating to Agency IOT Devices) The head of a federal agency is prohibited from "procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device" if the Chief Informatoin Officer determines that doing so would prevent compliance with the guidelines published under section 5.
Date
December 2020
Organization
Congress / NIST
Jurisdiction
United States
Region
North America
Requirement
Required
Policy
M-23-16, update to memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
Applies to
Software producers that serve the Federal government
Provision
Section 4.b of the Self-Attestation Common Form
Description
Requires software producers attest that they have a policy or process to address discovered security vulnerabilities prior to product release.
Date
June 9, 2023
Organization
OMB
Jurisdiction
United States
Region
North America
Requirement
Required
Policy
CISA Binding Operational Directive 20-01
Applies to
Federal agencies
Provision
N/A
Description
Enable Receipt of Unsolicited Reports: Agencies must ensure that they have a designated security contact for their .gov domains and that their email is regularly monitored.
Develop and Publish a Vulnerability Disclosure Policy: VDP must include which systems are in scope; the types of testing that are allowed; a description of how to submit vulnerability reports; a commitment to not recommend or pursue legal action; a statement that sets expections for the reporter and pledges the agency will be as transparent as possible about remediation; and an issuance date. A VDP must not require the submission of PII; limit testing soley to vetted registered parties or US citizens; Attempt to restrict the reporter’s ability to disclose discovered vulnerabilities to others; submit disclosed vulnerabilities to the Vulnerabilities Equities Process or any similar process.
Vulnerability Disclosure Handling Procedures: VDPs must "Describe how: Vulnerability reports will be tracked to resolution; Remediation activities will be coordinated internally; Disclosed vulnerabilities will be evaluated for potential impact17 and prioritized for action; Reports for systems and services that are out of scope will be handled; Communication with the reporter and other stakeholders (e.g., service providers, CISA) will occur; Any current or past impact of the reported vulnerabilities (not including impact from those who complied with the agency VDP) will be assessed and treated as an incident/breach, as applicable. Set target timelines for and track: Acknowledgement to the reporter (where known) that their report was received; Initial assessment (i.e., determining whether disclosed vulnerabilities are valid, including impact evaluation); Resolution of vulnerabilities, including notification of the outcome to the reporter."
Reporting Requirements and Metrics: After the VDP is created, federal agencies must report valid/credible reports of newly discovered vulnerabilities on agency systems that could affect other parties in government or industry.
CISA Actions: "CISA will monitor agency compliance to this directive and may take actions for non-compliance" and "will review agencies' initial implementation plan that reflects timelines and milestones for their VDP" to cover systems required under OMB's M-20-30.
Date
September 2020
Organization
CISA
Jurisdiction
United States
Region
North America
Requirement
Required
Policy
OMB Memo 20-32
Applies to
Federal agencies
Provision
Sections I, II, & III
Description
Section I: Clearly Worded VDP: Agency VDPs shall clearly articulate which systems are in scope and the set of security research activities that can be performed against them to protect those who would report vulnerabilities. Federal agencies shall provide clear assurances that good-faith security research is welcomed and authorized.
Clearly Identified Reporting Mechanism: Each Federal agency shall clearly and publicly identify where and how Federal information system vulnerabilities should be reported.
Timely Feedback: Federal agencies shall provide timely feedback to good-faith vulnerability reporters. Once a vulnerability is reported, those who report them deserve to know they are being taken seriously and that action is being taken. Agencies should establish clear expectations for regular follow-up communications with the vulnerability reporter, to include an agency-defined timeline for coordinated disclosure.
Good-Faith Security Research is Not an Incident or Breach: Good-faith security research does not itself constitute an incident or breach under the Federal Information Security Modernization Act of 2014 (FISMA) or OMB Memorandum M-17-12.
Section II: CISA must publish impelementaiton guidance describing the actions agencies should take to incorporate VDPs into their larger information security programs.
Section III: Each federal agency must develop and implement a VDP.
Date
September 2020
Organization
OMB
Jurisdiction
Australia
Region
Asia/Pacific
Requirement
Recommended
Policy
Information Security Manual (ISM)
Applies to
Large companies, Government agencies
Provision
Pg. 106 (Controls ISM-1616, ISM-1755, ISM-1756, ISM-1717)
Description
Control: ISM-1616; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.
Control: ISM-1755; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A A vulnerability disclosure policy is developed, implemented and maintained.
Control: ISM-1756; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained.
Control: ISM-1717; Revision: 2; Updated: Sep-23; Applicability: All; Essential Eight: N/A A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation’s products and services.
Date
September 2023
Organization
Australian Signals Directorate (ASD)
Jurisdiction
Belgium
Region
Europe
Requirement
Recommended
Policy
Cybersecurity Strategy Belgium 2.0 2021-2025
Applies to
Companies and organizations
Provision
Section 3.2.2
Description
Companies and organizations are urged to publish a “Coordinated Vulnerability Disclosure Policy.” Through sectoral authorities, professional organizations and the Cyber Security Coalition Belgium, they will be informed of significant threats or vulnerabilities. Organizations of Vital Interest will also receive targeted and non-public alerts through the CCB’s Early Warning System (EWS).
Date
May 2021
Organization
Centre for Cyber Security Belgium
Jurisdiction
Belgium
Region
Europe
Requirement
Recommended
Policy
Guide to Coordinated Vulnerability Disclosure Policies, Part I: Good Practices
Applies to
Companies and organizations
Provision
N/A
Description
Outlines "good practices" for the content of a CVD and for the overall process of Discovery, Report, Investigate, Deploy a Solution, and (Possibly) Disclose Publicly.
Date
December 2020
Organization
Centre for Cyber Security Belgium
Jurisdiction
Belgium
Region
Europe
Requirement
Recommended
Policy
Guide to Coordinated Vulnerability Disclosure Policies, Part II: Legal Aspects
Applies to
Companies and organizations
Provision
N/A
Description
Outlines the specific legal consequences of a CVD as they relate to Intrusion into an IT system; Manipulation of IT data; IT forgery and IT fraud; Crimes concerning the secrecy of communications; and Compliance with other legal provisions.
Date
December 2020
Organization
Centre for Cyber Security Belgium
Jurisdiction
Canada
Region
North America
Requirement
Recommended
Policy
Cyber Security Self-Assessment
Applies to
Federally regulated financial institutions (FRFIs) in Canada
Provision
Item 42
Description
The FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services.
Date
August 2021
Organization
Office of the Superintendent of Financial Institutions (OSFI)
Jurisdiction
European Union
Region
Europe
Requirement
Recommended
Policy
Coordinated Vulnerability Disclosure Policies in the EU
Applies to
EU Member States
Provision
Section 4
Description
Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies.
Date
April 2022
Organization
European Union Agency for Cybersecurity (ENISA)
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
ISO/IEC 29147, Information technology — Security techniques — Vulnerability disclosure
Applies to
Vendors
Provision
N/A
Description
This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides:
— guidelines on receiving reports about potential vulnerabilities;
— guidelines on disclosing vulnerability remediation information;
— terms and definitions that are specific to vulnerability disclosure;
— an overview of vulnerability disclosure concepts;
— techniques and policy considerations for vulnerability disclosure;
— examples of techniques, policies (Annex A), and communications (Annex B).
Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111.
Date
October 2018
Organization
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)
Jurisdiction
International / Standards Bodies
Region
Europe
Requirement
Recommended
Policy
Decision No. 1202 - OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies
Applies to
OSCE Member States
Provision
CBM 16
Description
Participating States will, on a voluntary basis, encourage responsible reporting of vulnerabilities affecting the security of and in the use of ICTs and share associated information on available remedies to such vulnerabilities, including with relevant segments of the ICT business and industry, with the goal of increasing co-operation and transparency within the OSCE region. OSCE participating States agree that such information exchange, when occurring between States, should use appropriately authorized and protected communication channels, including the contact points designated in line with CBM 8 of Permanent Council Decision No. 1106, with a view to avoiding duplication.
Date
March 2016
Organization
Organization for Security and Co-operation in Europe (OSCE)
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
ISO/IEC 30111, Information technology — Security techniques — Vulnerability handling processes
Applies to
Vendors
Provision
N/A
Description
This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.
This document is applicable to vendors involved in handling vulnerabilities
Date
October 2019
Organization
International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
GFCE Global Good Practices Coordinated Vulnerability Disclosure (CVD)
Applies to
Political leadership/policymakers, manufacturers/vendors, users, reporters, legal professionals, and national CSIRTs
Provision
N/A
Description
Provides CVD best practices for political leadership/policymakers, manufacturers/vendors, users, reporters, legal professionals, and national CSIRTs. It also explains 8 key challenges, including conflicts between involved stakeholders; failure to patch after disclosure; and sale of zero-day vulnerabilities.
Date
2017
Organization
Global Forum on Cyber Expertise
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
The CERT® Guide to Coordinated Vulnerability Disclosure
Applies to
All Organizations
Provision
N/A
Description
Provides a summary of CVD. The document includes 7 core sections:
1. Principles of Coordinated Vulnerability Disclosure
2. Roles in CVD
3. Phase of CVD
4. Process Variation Points
5. Troubleshooting CVD
6. Operational Considerations
7. Open Problems in CVD
Date
August 2017
Organization
Carnegie Mellon University Software Engineering Institute
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
Applies to
Vendors
Provision
N/A
Description
Provides "Guiding Concepts and Best Current Practices" related to multi-lateral coordination on CVDs:
1. Establish a strong foundation of processes and relationships
2. Maintain clear and consistent communications
3. Build and maintain trust
4. Minimize exposure for stakeholders
5. Respond quickly to early disclosure
6. Use coordinators when appropriate
Date
Spring 2020
Organization
FIRST - Forum of Incident Response and Security Teams
Jurisdiction
International / Standards Bodies
Region
Europe
Requirement
Recommended
Policy
ESTI TR 103 838, Cyber Security; Guide to Coordinated Vulnerability Disclosure
Applies to
Companies and organizations
Provision
N/A
Description
Provides guidance regarding the "essential steps" companies should take when deciding to implement a VDP. ESTI explicitly states that the document is not intended to a 'comprehensive' guide.
Date
January 2022
Organization
ETSI - European Telecommunications Standards Institute
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
Recommendation of the Council on the Treatment of Digital Security Vulnerabilities (OECD/LEGAL/0482)
Applies to
Signatory countries
Provision
N/A
Description
The purpose of this Recommendation is to provide guidance on how to implement the Digital Security Recommendation to develop public policies to foster vulnerability treatment in order to reduce digital security risk, thereby strengthening trust and supporting digital transformation.
Date
September 25, 2022
Organization
Organization for Economic Co-operation and Development (OECD)
Jurisdiction
International / Standards Bodies
Region
Europe
Requirement
Recommended
Policy
ETSI 303 645
Applies to
Manufacturers
Provision
Provision 5.2-1
Description
The manufacturer shall make a vulnerability disclosure policy publicly available. This policy shall include, at a minimum:
• contact information for the reporting of issues; and
• information on timelines for: 1) initial acknowledgement of receipt; and 2) status updates until the resolution of the reported issues.
Date
June 2020
Organization
ETSI - European Telecommunications Standards Institute
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
Good Practice Guidance on the Co-ordination of Digital Security Vulnerabilities (DSTI/CDEP/SDE(2021)9/FINAL)
Applies to
Policy makers, code owners, system owners, vulnerability researchers
Provision
N/A
Description
This good practice guidance aims to provide policy makers with an overarching understanding of the co-ordination of digital security vulnerabilities in practice, while avoiding technical jargon and detailed considerations. It may also help technical security experts to communicate with policy makers and non-technical experts in their organisation such as CEOs, board members, communication, and legal departments, etc. This document is expected to be sufficiently consistent with technical standards and other guides targeting technical experts in this area, does not aim to replace them, but rather helps raise awareness about their existence and the need for practitioners to use them.
Date
January 25, 2023
Organization
Organization for Economic Co-operation and Development (OECD)
Jurisdiction
International / Standards Bodies
Region
International
Requirement
Recommended
Policy
Payment Card Industry Data Security Standard (PCI-DSS) 4.0
Applies to
Organizations that use or facilitate payments with major credit card issuers
Provision
6.3.1
Description
Section 6.3 - Security vulnerabilities are identified and addressed.
In the 'defined approach requirements', PCI urges organizations to identify vulnerabilities "using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Although Section 6.3 does not make a broad recommendation for covered entities to have CVD/VDPs, it comes close in its guidance for in-house developed software. Specifically, it states "For control over in-house developed software, the organization may receive such information from external sources. The organization can consider using a “bug bounty” program where it posts information (for example, on its website) so third parties can contact the organization with vulnerability information. External sources may include independent investigators or companies that report to the organization about identified vulnerabilities and may include sources such as the Common Vulnerability Scoring System (CVSS) or the OWASP Risk Rating Methodology."
Date
March 2022
Organization
Payment Card Industry Security Standards Council (PCI-SSC)
Jurisdiction
Japan
Region
Asia/Pacific
Requirement
Recommended
Policy
Information Security Early Warning Partnership Guideline
Applies to
Software Developers and Website Developers
Provision
N/A
Description
Japan's Information-Technology, Promotion Agency (IPA) has a policy of collecting information from informers and, either by itself, or through JPCERT/CC, passes that information onto the relevant parties. IPA handles website vulnerabilities and JPCERT/CC handles software vulnerabilities. According to IPA, the process is in alignment with ISO/IEC 29147:2014 (which as noted with regards to the US FDA's regulations, was updated in 2018).
Date
May 2022
Organization
IPA / JPCERT
Jurisdiction
Netherlands
Region
Europe
Requirement
Recommended
Policy
Coordinated Vulnerability Disclosure: the Guideline
Applies to
Companies and organizations
Provision
N/A
Description
Outlines best practices for organizations to create their own CVD policy. It focuses on 5 broad areas:
1. Explaining the goal of a CVD
2. Defining the differing areas of responsibility for organizations and the party reporting a vulnerability
3. Proposing structures of a CVD within an organization, proposing terms for an individual, and proposing coordination with the NCSC
4. Clarifying the process for the communication of a vulnerability
5. Providing examples of existing CVDs
Date
October 2018
Organization
National Cyber Security Centre, Ministry of Justice and Security
Jurisdiction
New Zealand
Region
Asia/Pacific
Requirement
Recommended
Policy
Information Security Manual (ISM)
Applies to
New Zealand Government departments, agencies and organizations; Crown entities, local government and private sector organizations
Provision
Objective 5.9
Description
Objective 5.9.1. Agencies implement a Vulnerability Disclosure Policy (VDP) to enable members of the public to report vulnerabilities in the agency’s public-facing systems and applications and receive feedback on such reports.
Objective 5.9.20. A VDP will typically include: A scoping statement setting out which systems the policy applies to (e.g. the agency’s website and other public-facing systems); Details of how finders can contact the agency’s security team (including any public keys for encrypting reports); Permitted activities; Acknowledgement of reports and a response time (typically 60 or 90 days) for corrections, adjustments, or other “fixes”; Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, to let the organisation fix the issues before it becomes public; Illegal activities are not permitted (specifying any relevant legislation, such as the Crimes Act, the Privacy Act etc.); and Either a statement that bug bounties will not be paid for any discoveries, or information about the agency’s bug bounty programme.
Date
January 2022
Organization
Government Communications Security Bureau
Jurisdiction
Portugal
Region
Europe
Requirement
Recommended
Policy
National Cybersecurity Framework
Applies to
Public and private organizations
Provision
4.6.3 RS.AN-5
Description
Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources - The organization should have a formal process to receive the submission of vulnerabilities from internal or external sources (e.g.: internal tests, vulnerability reports, security researchers). Each submission should be analyzed, verified and follow the process for security incident handling, unless it is a false positive.
Date
April 2020
Organization
National Cybersecurity Centre (CNCS)
Jurisdiction
Singapore
Region
Asia/Pacific
Requirement
Recommended
Policy
Responsible Vulnerability Disclosure Policy
Applies to
System Owners
Provision
Responsible Disclosure Guidelines
Description
Recommends and outlines best practices for "Informers" and "System Owners". The policy also explains in which cases SingCERT can/cannot act as a conduit between Informers and System Owners. Broadly speaking, "SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace."
"System Owners are encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies." They are also encouraged to keep open contact with the former to take in more information and to update SingCERT and the Informer of its assessments.
If the Informer cannot reach the System Owner for some reason, SingCERT can act as a liaison between the two. For this process, that informer would report the vulnerability to SingCERT via email.
Date
N/A
Organization
Cyber Security Agency of Singapore / SingCERT
Jurisdiction
Slovakia
Region
Europe
Requirement
Recommended
Policy
Vulnerability Reporting Guideline
Applies to
Companies and organizations, Reporters of vulnerabilities
Provision
N/A
Description
Provides recommended procedures for the reporter of a vulnerability: # Report the vulnerability to the National Cyber Security Centre SK-CERT as soon as it is detected in order to minimize the risk of abuse by the attackers. # For confidentiality, it is recommended to encrypt the communication via PGP. # The vulnerability report must include a detailed description of the problem. Suggestion of the vulnerability solution is also possible. # It is recommended to include a detailed contact information in the report, along with the means of secure communication (e. g. PGP fingerprint). # SK-CERT may assist the reporter by taking further steps: * to assess a reported vulnerability from an expert viewpoint, * to register CVE number for vulnerability, * to identify entities concerned and their respective contacts (a manufacturer, national CSIRTs, affected users), * to contact entities concerned either with the reporter identity or with the reporter anonymity. # The reporter may specify a vulnerability removal period for the affected entity during which the vulnerability is not disclosed publicly. If the entity does not respond to the report and the deadline expires, the reporter may disclose the vulnerability publicly. It is a good practice to add vulnerability solution methods or mitigation to the vulnerability report. The default period is 30 to 90 days, depending on the nature of the vulnerability
Provides recommended procedures for the affected entities of a vulnerability: * a process of vulnerability reporting (within the process each reported issue should be assessed and not just limited to the vulnerabilities with higher severity), * a process of vulnerability prioritisation and management, * a process of vulnerability disclosure to the public. # The response to each report should be prompt and adequate to the reported vulnerability. # The vulnerability management process should be given a high priority and vulnerabilities should be fixed in the next update. # The vulnerability management process should also include identifying potential victims and the method of their notification. # If the vulnerability is to be disclosed to the public, the company will determine the date of disclosure and notify the reporter if the vulnerability was not detected by the company. After consulting the reporter, it will also choose an appropriate channel for vulnerability disclosure to the community and the public. # The company may reward the reporter for reporting the vulnerability. It may also "offer a reward" for finding vulnerabilities in its products. This procedure is recommended to increase the security of the company's products and services. # Vulnerability reporting should be seen as an opportunity to improve products and a chance to learn about the vulnerability earlier than its abuse causes damage to the user, operator or manufacturer of the product or service. Therefore, it is recommended to treat the reporter gratefully as a person who wants to help as a friendly co-worker. This, of course, does not preclude legal action if the reporter's actions are manifestly unethical or illegal.
Date
September 2019
Organization
SK CERT
Jurisdiction
Spain
Region
Europe
Requirement
Recommended
Policy
Vulnerability Disclosure Policy / Coordinated Vulnerability Disclosure Policy
Applies to
Reporters of vulnerabilities / good faith security researchers
Provision
N/A
Description
INCIBE-CERT has an established CVD (Coordinated Vulnerability Disclosure) policy that supports those who wish to provide information on vulnerabilities detected, both in INCIBE-CERT's own systems and in the systems of third parties, citizens and private entities in Spain. For this reason, INCIBE-CERT provides support to those people who wish to provide information on vulnerabilities they have detected, and acts by anonymising the informant's data, unless the informant expressly indicates otherwise (at any time during the vulnerability management) or a judge so requires.
Date
N/A
Organization
Instituto Nacional de Ciberseguridad (INCIBE) - CERT
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended
Policy
Code of Practice for consumer IoT security
Applies to
Device manufacturers, IoT service providers, mobile application developers, retailers
Provision
Guideline 2
Description
2. Implement a vulnerability disclosure policy
All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.
Date
October 14, 2018
Organization
Department of Science, Innovation, & Technology
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended
Policy
Code of practice for app store operators and app developers
Applies to
App Store Operators and App Developers
Provision
Sec. 3
Description
App Store Operators and App Developers listing apps on them should have a VDP (contact details/contact form); App Store Operators should verify that App Developers abide by these practices; App Store Operators should accept vulnerability disclosure reports on behalf of App Developers if they have not acknowledged the vulnerability - if the App Developer still fails to acknowledge the vulnerability, the App Store Operator should delist the app from its platform.
Date
October 24, 2023
Organization
Department of Science, Innovation, & Technology
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Recommended Criteria for Cybersecurity Labeling of IoT
Applies to
IoT Product Developers
Provision
Section 2.2 - Baseline Product Criteria, Subsection: Documentation (Pg. 8)
Description
Throughout the development lifecycle, the IoT product developer creates or gathers and stores information relevant to the cybersecurity of the IoT product and its product components. With regards to the vulnerability management policies and processes associated with the IoT product, the IoT product developer should a have the following:
i. Methods of receiving reports of vulnerabilities
ii. Processes for recording reported vulnerabilities
iii. Policy for responding to reported vulnerabilities, including the process of coordinating vulernability response activities among component suppliers and third-party vendors
iv. Policy for disclosing reported vulnerabilities
v. Processes for receiving notification from component suppliers and third-party vendors about any change in the status of their supplied components, such as end of production, end of support, deprecated status (e.g., the product is no longer recommended for use), or known insecurities.
Date
February 2022
Organization
NIST
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Executive Order 14028
Applies to
Software developers and vendors (specifically those that supply the federal government, but could also apply to other software developers)
Provision
Sec. 4(e)(viii)
Description
Requires NIST to issue guidance identifying practices that enhance security of the software supply chain. In the guidance NIST must include standards, procedures, or criteria related to, among other issues, "participating in a vulnerability disclosure program that includes a reporting and disclosure process."
Date
May 2021
Organization
White House
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
A Framework for a Vulnerability Disclosure Program for Online Systems
Applies to
Organizations
Provision
N/A
Description
A framework to assist organizations interested in instituting a formal vulnerability disclosure program.
It provides a rubric of considerations that may inform the content of vulnerability disclosure policies. The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs. Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.
The framework consists of four steps:
1. Design the vulnerability disclosure program
2. Plan for administering the vulnerability disclosure program
3. Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent
4. Implement the vulnerability disclosure program
Date
July 2017
Organization
U.S. Department of Justice
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
National Cybersecurity Strategy
Applies to
Software developers and vendors
Provision
Strategic Objective 3.3: Shift Liability for Insecure Software Products and Services
Description
"To further incentivize the adoption of secure software development practices, the Administration will encourage coordinated vulnerability disclosure across all technology types and sectors."
Date
March 2023
Organization
White House
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
“Early Stage” Coordinated Vulnerability Disclosure Template Version 1.1
Applies to
Companies and organizations, especially those in "safety-critical industries" (e.g., automotive, medical devices, etc.)
Provision
N/A
Description
In 2016, NTIA convened "a multistakeholder process to address principles and practices around security researcher disclosure." The NTIA Safety Working Group produced this document to outline the initial steps an organization can take to improve collaboration withing the context of vulnerability disclosure and remediation. "Much of the discussion targeted the safety-critical industry, in which the potential for harm directly impacts publci safety or causes physical damage (e.g., automobiles or medical devices), but the lessons are easily adaptable by any organization that builds or maintains its own software systems." NTIA's document is broken into the following sections: 1. Introduction: Disclosure and Safety 2. Disclosure Policy: First Steps 3. Template Disclosure Policy 4. Sample Vulnerability Disclosure Policy Template 5. Issues to Consider in Writing a Disclosure Policy
Date
December 2016
Organization
National Telecommunications and Information Administration
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
NIST SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines
Applies to
Federal agencies and contractors providing IoT devices to the Federal government
Provision
N/A
Description
Implements the requirements listed in the IoT Cybersecurity Improvement Act of 2020 with guidelines:
(1) for the reporting, coordinating, publishing, and receiving information about a security vulnerability relating to information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency); and the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on— receiving information about a potential security vulnerability relating to the information system; and disseminating information about the resolution of a security vulnerability relating to the information system."
The Guidelines are aligned with ISO/IEC 29147 and 30111: "The document defines the Federal Coordination Board (FCB) as the primary interface for vulnerability disclosure reporting and oversight. It also defines Vulnerability Disclosure Program Offices (VDPOs) that are usually part of the Information Technology Security Offices (ITSOs). The FCB and VDPOs work together to address vulnerability disclosure in the Federal Government."
Date
May 2023
Organization
NIST
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Vulnerability Disclosure Attitudes and Actions
Applies to
Organizations
Provision
N/A
Description
In September 2015, the National Telecommunications and Information Administration (NTIA) convened a multi-stakeholder process to investigate software vulnerability disclosure and handling practices. The process was open to any interested participant and included members from business, government, and civil society. Members organized into three working groups to study diferent aspects of vulnerability disclosure and handling. This report is a product of the “Awareness and Adoption Working Group,” which focused on increasing understanding and use of best practices.
Date
December 2016
Organization
National Telecommunications and Information Administration
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Cyber Related Sanctions FAQs
Applies to
Reporters of vulnerabilities / good faith security researchers
Provision
FAQ 448
Description
Question: I conduct cyber-related activities for legitimate educational, network defense, or research purposes only. Am I vulnerable to the application of sanctions under this authority for these activities?
Answer: The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors. Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events.
Date
April 2015
Organization
Office of Foreign Assets Control (OFAC)
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
NIST SP 800-218, Secure Software Development Framework
Applies to
Software developers
Provision
RV.1.3
Description
RV.1.3: Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
Date
February 2022
Organization
NIST
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
NIST Cybersecurity Framework 2.0
Applies to
All organizations that use the CSF
Provision
ID.RA.08
Description
"Processes for receiving, analyzing, and responding to vulnerability disclosures are established" within an organization.
Date
February 2024
Organization
NIST
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
NIST 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations
Applies to
Federal agencies and contractors (via FISMA)
Provision
RA-5, SR-8
Description
RA-5: (Vulnerability Monitoring and Scanning) Subsection F states "employ vulnerability monitoring tools that include the capability to readily udpate the vulnerabilities to be scanned." In the discussion of the control, NIST states "vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation."
SR-8: (Notification Agreements) states to "establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [Selection (one or more): notification of supply chain compromises; results of assessments or audits; [Assignment: organization-defined information]]."
Date
September 2020
Organization
NIST
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
FDA Postmarket Guidance for Medical Devices
Applies to
Medical device manufacturers
Provision
Sec. V(B), VII
Description
Section V(B): Manufacturers should implement "Cybersecurity Risk Management Programs" that include "adopting a coordinated vulnerability disclosure policy and practice." Since the rule was published in 2016, it suggests that manufacturers make use of the ISO/IEC 29147:2014 (Information Technology - Security Techniques - Vulnerability Disclosure) Standard, which has since been replaced by a new version in 2018.
Section VII: Manufacturers should "adopt a coordinated vulnerability disclosure policy and practice that includes acknowledging receipt of the initial vulnerability report to the vulnerability submitter"
Date
December 2016
Organization
FDA
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
Cyber Resilience Act (CRA)
Applies to
Manufacturers of software and digitally-enabled devices in the EU Single Market
Provision
Annex 1 Sec. 2(5)
Description
Requires manufacturers to put in place and enforce a policy on coordinated vulnerability disclosure.
Date
TBD
Organization
European Union
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
EU Member States (and their designated CSIRT) and ENISA
Provision
Article 12(1)
Description
Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database.
Date
October 17, 2024
Organization
European Parliament / Commission / Council
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
Important and essential entities (as defined, similar to critical infrastructure)
Provision
Article 21.2(e)
Description
2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
Date
October 17, 2024
Organization
European Parliament / Commission / Council
Jurisdiction
United States
Region
North America
Requirement
Required *Coming Soon
Policy
Federal Information Security Modernization Act (FISMA) 2023
Applies to
Federal agencies, excluding "national security systems"
Provision
Sec. 12(f)
Description
The head of each federal agency must develop and make publicly available a vulnerability disclosure policy for their agency - clearly defining a scope and directions for how to submit informaiton. The head of each agency should coordinate with the Director of CISA in creating the policy. Agencies should not puruse legal action against submitters that made a "good faith effort" to idenitify a vulnerability and report it. The legislation does not apply to national security systems.
Date
TBD
Organization
Congress / CISA
Jurisdiction
United States
Region
North America
Requirement
Required *Coming Soon
Policy
Cybersecurity in the Marine Transportation System
Applies to
U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations
Provision
Sec. 101.650(e)(3)(ii)
Description
(3) Routine system maintenance. Each owner or operator or a designated CySO of a vessel, facility, or OCS facility must ensure the following measures for routine system maintenance are in place and documented in Section 6 of the Cybersecurity Plan:
(i) Ensure patching or implementation of documented compensating controls for all KEVs in critical IT or OT systems, without delay;
(ii) Maintain a method to receive and act on publicly submitted vulnerabilities;
(iii) Maintain a method to share threat and vulnerability information with external stakeholders;
(iv) Ensure there are no exploitable channels directly exposed to internet-accessible systems;
(v) Ensure no OT is connected to the publicly accessible internet unless explicitly required for operation, and verify that, for any remotely accessible OT system, there is a documented justification; and
(vi) Conduct vulnerability scans as specified in the Cybersecurity Plan.
Date
TBD
Organization
U.S. Coast Guard
Jurisdiction
Czechia
Region
Europe
Requirement
Recommended *Coming Soon
Policy
Action Plan for the National Cybersecurity Strategy of the Czech Republic 2021-2025
Applies to
TBD
Provision
Code 11
Description
Czechia's NUKIB will "draft a national policy proposal for the coordinated disclosure of vulnerabilities" by Q4 2021.
Date
TBD
Organization
National Cyber and Information Security Agency (NÚKIB)
Jurisdiction
Denmark
Region
Europe
Requirement
Recommended *Coming Soon
Policy
The Danish National Strategy for Cyber and Information Security
Applies to
Government agencies
Provision
Appendix 1.12
Description
A pilot of a government CVD (Coordinated Vulnerability Disclosure) policy will be launched. A government CVD policy will describe the framework for government agencies to allow private individuals (“helpful hackers”) to identify and report vulnerabilities in ICT systems.
Date
December 2021
Organization
Danish Government
Jurisdiction
Germany
Region
Europe
Requirement
Recommended *Coming Soon
Policy
Cyber Security Strategy for Germany 2021
Applies to
Government agencies
Provision
Section 8.1.8
Description
8.1.8 Responding responsibly to vulnerabilities – promoting coordinated vulnerability
Our aim is for the Federal Government to develop a framework to ensure that those reporting bugs have legal certainty if they approach companies to inform them that they have become aware of vulnerabilities, with a view to fostering proactive vulnerability governance. There will be reliable points of contact for them to report their findings. These can take the form of internal contact points which companies themselves are obligated to set up, or the BSI as a public liaison office. The legislator will obligate the companies affected to provide points of contact and processes to enable them to fix reported vulnerabilities in a suitable time frame. The extent to which the rights and duties are set out on both sides of the CVD process will be examined. These rights and duties could include a holdback period before making vulnerabilities public or a binding deadline for patches or updates. A coordinated process will be put in place between the BSI and manufacturers which extends beyond the simple exchange of information. This will also apply to vulnerabilities in the IT supply chains of products and services (supply chain security).
Date
2021
Organization
Federal Ministry of the Interior, Building, and Community
Jurisdiction
Latvia
Region
Europe
Requirement
Recommended *Coming Soon
Policy
The Cybersecurity Strategy of Latvia 2023-2026
Applies to
Institutions
Provision
Directive 1 (Page 20)
Description
The newly created National Cybersecurity Centre will oversee - with the assistance of the Constitution Protection Bureau - the voluntary implementation of a coordinated vulenrabilty disclosure process within institutions in line with NIS2.
Date
2023
Organization
Ministry of Defense
Jurisdiction
Luxembourg
Region
Europe
Requirement
Recommended *Coming Soon
Policy
National Cybersecurity Strategy IV (2021-2025)
Applies to
TBD
Provision
Objective 1.5
Description
The Government will propose the necessary legislative changes and initiatives to make possible or deepen different approaches in order to improve cybersecurity by using the collective intelligence of security researchers, private companies active in the search for vulnerabilities and any users who discover a security breach. The possibility of creating, in the near future, a platform at GOVCERT.LU that encourages researchers to report bugs, especially those associated with vulnerabilities, will be analysed.
Date
October 2021
Organization
High Commission for National Protection
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended *Coming Soon
Policy
Cyber Security of AI
Applies to
Developers and System Operators
Provision
Principle 6.3, Principle 11.2
Description
6.3 Developers and System Operators shall implement and publish an effective vulnerability disclosure process to support a transparent and open culture within the organisation.
11.2 Developers shall provide security updates and patches, where possible, and notify System Operators and End-users of the security updates.
11.2.1 In instances where updates can’t be provided, Developers shall have mechanisms for escalating issues to the wider community, particularly customers and other Developers. To help deliver this, they could publish bulletins responding to vulnerability disclosures, including detailed and complete common vulnerability enumeration.
Date
TBD
Organization
Department of Science, Innovation, & Technology
Jurisdiction
United Kingdom
Region
Europe
Requirement
Recommended *Coming Soon
Policy
Code of Practice for Software Vendors
Applies to
Software developers, distributors, and resellers
Provision
Principle 3.2
Description
3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process to support a transparent and open culture within the organisation.
Associated technical control: Implement a vulnerability disclosure policy. (The organisation publishes a vulnerability disclosure policy which provides a public point of contact in order that security researchers and others are able to report issues. Disclosed vulnerabilities are then reported to relevant parties (outlined in the implementation guidance) and acted on in a timely manner.)
Date
TBD
Organization
Department of Science, Innovation, & Technology
HackerOne Response Solution Brief
Mitigate risk of vulnerabilities before they are exploited with the industry’s most comprehensive Vulnerability Disclosure Program (VDP).
Learn how your business can benefit from a VDP
Ready to see your vulnerabilities and address them before it’s too late?
The power of vulnerability disclosure
Security Compliance,
Public Policy
VDPs Are Good For the Government — and Good For Business
August 28th, 2023
Congress recently introduced the Federal Cybersecurity Vulnerability Reduction Act.
Vulnerability Management
How Ethical Hackers Are Helping Security Leaders Navigate the Budget Crunch
August 17th, 2023
Security leaders are using ethical hackers to help address strains and challenges in their security programs.
Security Compliance,
Public Policy,
Vulnerability Disclosure
Are You Ready for the New NIST Control Around Public Disclosure Programs?
July 25th, 2024
A new NIST control requires SaaS vendors to “establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.”