\
Jurisdiction
Australia
Region
Asia/Pacific
Requirement
Required
Policy
Protective Security Policy Framework - Policy 11 - Robust ICT Systems
Applies to
Australian Government entities
Provision
C.6
Description

C.6 Vulnerability Disclosure Program 

60. Requirement 4 mandates that all entities must have in place a vulnerability disclosure program. This includes having a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities disclosed by both internal and external sources. 

61. Implementing a vulnerability disclosure program, based on responsible disclosure, can assist entities, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of a reported security vulnerability, it can assist entities, vendors and service providers in notifying their customers of any security vulnerabilities that have been discovered in their products and services and any recommended security patches, updates or mitigations. 

62. For guidance on the creation and maintenance of vulnerability disclosure programs, see the Information Security Manual and Guidelines for Software Development.

Date
July 29, 2022
Organization
Australian Department of Home Affairs
View source
Jurisdiction
Australia
Region
Asia/Pacific
Requirement
Recommended
Policy
Code of Practice: Securing the Internet of Things for Consumers
Applies to
Device Manufacturers, IoT Service Providers and Mobile Application Developers
Provision
Principle 2
Description

Principle 2: Implement a vulnerability disclosure policy 

IoT device manufacturers, IoT service providers and mobile application developers should provide a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others to report issues. Disclosed vulnerabilities should be acted on in a timely manner. Implementing a bug bounty program encourages and rewards the cyber security community for identifying and reporting vulnerabilities, thereby facilitating the responsible and coordinated disclosure and remediation of vulnerabilities. 

Primarily applies to Device Manufacturers, IoT Service Providers and Mobile Application Developers.

Date
2020
Organization
Australian Government
View source
Jurisdiction
People's Republic of China
Region
Asia/Pacific
Requirement
Required
Policy
Regulations on the Management of Security Vulnerabilities in Network Products
Applies to
Network product providers, network operators and network product security vulnerability collection platforms
Provision
Article 5, Article 6
Description
Article 5: Network product providers, network operators and network product security vulnerability collection platforms shall establish and improve channels for receiving network product security vulnerability information and keep them open, and retain network product security vulnerability information receiving logs for no less than 6 months.  Article 6: "Encourages relevant organizations and individuals to report security vulnerabilities in their products to network product providers" and "Encourage network product providers to establish a reward mechanism for security vulnerabilities in the network products they provide, and reward organizations or individuals who discover and report security vulnerabilities in the network products they provide."
Date
July 2021
Organization
Ministry of Industry and Information Technology
View source
Jurisdiction
Singapore
Region
Asia/Pacific
Requirement
Recommended
Policy
Responsible Vulnerability Disclosure Policy
Applies to
System Owners
Provision
Responsible Disclosure Guidelines
Description
Recommends and outlines best practices for "Informers" and "System Owners". The policy also explains in which cases SingCERT can/cannot act as a conduit between Informers and System Owners. Broadly speaking, "SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace." "System Owners are encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies." They are also encouraged to keep open contact with the former to take in more information and to update SingCERT and the Informer of its assessments.  If the Informer cannot reach the System Owner for some reason, SingCERT can act as a liaison between the two. For this process, that informer would report the vulnerability to SingCERT via email. 
 Version 2.0 of this manual was released in October 2024.
Date
October 2024
Organization
Cyber Security Agency of Singapore / SingCERT
View source
Jurisdiction
Japan
Region
Asia/Pacific
Requirement
Recommended
Policy
Information Security Early Warning Partnership Guideline
Applies to
Software Developers and Website Developers
Provision
N/A
Description
Japan's Information-Technology, Promotion Agency (IPA) has a policy of collecting information from informers and, either by itself, or through JPCERT/CC, passes that information onto the relevant parties. IPA handles website vulnerabilities and JPCERT/CC handles software vulnerabilities. According to IPA, the process is in alignment with ISO/IEC 29147:2014 (which as noted with regards to the US FDA's regulations, was updated in 2018). In 2024, Japan's "Standards for Handling Vulnerability-related Information of Software Products and Others" were partially amended to enhance the coordination and communication processes among stakeholders, including finders, software developers, and website operators, thereby improving the overall management and disclosure of vulnerability-related information. 
Date
September 2024
Organization
IPA / JPCERT
View source
Jurisdiction
New Zealand
Region
Asia/Pacific
Requirement
Recommended
Policy
Information Security Manual (ISM)
Applies to
New Zealand Government departments, agencies and organizations; Crown entities, local government and private sector organizations
Provision
Objective 5.9
Description
Objective 5.9.1. Agencies implement a Vulnerability Disclosure Policy (VDP) to enable members of the public to report vulnerabilities in the agency’s public-facing systems and applications and receive feedback on such reports.  Objective 5.9.20. A VDP will typically include: A scoping statement setting out which systems the policy applies to (e.g. the agency’s website and other public-facing systems); Details of how finders can contact the agency’s security team (including any public keys for encrypting reports); Permitted activities; Acknowledgement of reports and a response time (typically 60 or 90 days) for corrections, adjustments, or other “fixes”; Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, to let the organisation fix the issues before it becomes public; Illegal activities are not permitted (specifying any relevant legislation, such as the Crimes Act, the Privacy Act etc.); and Either a statement that bug bounties will not be paid for any discoveries, or information about the agency’s bug bounty programme. Version 3.8 of this manual was released in September 2024. 
Date
September 2024
Organization
Government Communications Security Bureau
View source
Jurisdiction
Australia
Region
Asia/Pacific
Requirement
Recommended
Policy
Information Security Manual (ISM)
Applies to
Large companies, Government agencies
Provision
Pg. 106 (Controls ISM-1616, ISM-1755, ISM-1756, ISM-1717)
Description
Control: ISM-1616; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.  Control: ISM-1755; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A A vulnerability disclosure policy is developed, implemented and maintained.  Control: ISM-1756; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained. Control: ISM-1717; Revision: 2; Updated: Sep-23; Applicability: All; Essential Eight: N/A A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation’s products and services. 
Date
September 2023
Organization
Australian Signals Directorate (ASD)
View source
Subscribe to Asia/Pacific