States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure. 

Report adopted by UN General Assembly Resolution 70/237: https://documents.un.org/doc/undoc/gen/n15/457/57/pdf/n1545757.pdf

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.

This document is applicable to vendors involved in handling vulnerabilities

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides:

— guidelines on receiving reports about potential vulnerabilities;

— guidelines on disclosing vulnerability remediation information;

— terms and definitions that are specific to vulnerability disclosure;

— an overview of vulnerability disclosure concepts;

— techniques and policy considerations for vulnerability disclosure;

— examples of techniques, policies (Annex A), and communications (Annex B).

Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111.

This good practice guidance aims to provide policy makers with an overarching understanding of the co-ordination of digital security vulnerabilities in practice, while avoiding technical jargon and detailed considerations. It may also help technical security experts to communicate with policy makers and non-technical experts in their organisation such as CEOs, board members, communication, and legal departments, etc. This document is expected to be sufficiently consistent with technical standards and other guides targeting technical experts in this area, does not aim to replace them, but rather helps raise awareness about their existence and the need for practitioners to use them.

The purpose of this Recommendation is to provide guidance on how to implement the Digital Security Recommendation to develop public policies to foster vulnerability treatment in order to reduce digital security risk, thereby strengthening trust and supporting digital transformation.