C.6 Vulnerability Disclosure Program 

60. Requirement 4 mandates that all entities must have in place a vulnerability disclosure program. This includes having a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities disclosed by both internal and external sources. 

61. Implementing a vulnerability disclosure program, based on responsible disclosure, can assist entities, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of a reported security vulnerability, it can assist entities, vendors and service providers in notifying their customers of any security vulnerabilities that have been discovered in their products and services and any recommended security patches, updates or mitigations. 

62. For guidance on the creation and maintenance of vulnerability disclosure programs, see the Information Security Manual and Guidelines for Software Development.

Principle 2: Implement a vulnerability disclosure policy 

IoT device manufacturers, IoT service providers and mobile application developers should provide a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others to report issues. Disclosed vulnerabilities should be acted on in a timely manner. Implementing a bug bounty program encourages and rewards the cyber security community for identifying and reporting vulnerabilities, thereby facilitating the responsible and coordinated disclosure and remediation of vulnerabilities. 

Primarily applies to Device Manufacturers, IoT Service Providers and Mobile Application Developers.