Section 6.3 - Security vulnerabilities are identified and addressed. 

In the 'defined approach requirements', PCI urges organizations to identify vulnerabilities "using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Although Section 6.3 does not make a broad recommendation for covered entities to have CVD/VDPs, it comes close in its guidance for in-house developed software. Specifically, it states "For control over in-house developed software, the organization may receive such information from external sources. The organization can consider using a “bug bounty” program where it posts information (for example, on its website) so third parties can contact the organization with vulnerability information. External sources may include independent investigators or companies that report to the organization about identified vulnerabilities and may include sources such as the Common Vulnerability Scoring System (CVSS) or the OWASP Risk Rating Methodology."

The manufacturer shall make a vulnerability disclosure policy publicly available. This policy shall include, at a minimum: 

• contact information for the reporting of issues; and 

• information on timelines for: 1) initial acknowledgement of receipt; and 2) status updates until the resolution of the reported issues.

Provides guidance regarding the "essential steps" companies should take when deciding to implement a VDP. ESTI explicitly states that the document is not intended to a 'comprehensive' guide.