Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources - The organization should have a formal process to receive the submission of vulnerabilities from internal or external sources (e.g.: internal tests, vulnerability reports, security researchers). Each submission should be analyzed, verified and follow the process for security incident handling, unless it is a false positive.