States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure. 

Report adopted by UN General Assembly Resolution 70/237: https://documents.un.org/doc/undoc/gen/n15/457/57/pdf/n1545757.pdf

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.

This document is applicable to vendors involved in handling vulnerabilities

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides:

— guidelines on receiving reports about potential vulnerabilities;

— guidelines on disclosing vulnerability remediation information;

— terms and definitions that are specific to vulnerability disclosure;

— an overview of vulnerability disclosure concepts;

— techniques and policy considerations for vulnerability disclosure;

— examples of techniques, policies (Annex A), and communications (Annex B).

Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111.

This good practice guidance aims to provide policy makers with an overarching understanding of the co-ordination of digital security vulnerabilities in practice, while avoiding technical jargon and detailed considerations. It may also help technical security experts to communicate with policy makers and non-technical experts in their organisation such as CEOs, board members, communication, and legal departments, etc. This document is expected to be sufficiently consistent with technical standards and other guides targeting technical experts in this area, does not aim to replace them, but rather helps raise awareness about their existence and the need for practitioners to use them.

The purpose of this Recommendation is to provide guidance on how to implement the Digital Security Recommendation to develop public policies to foster vulnerability treatment in order to reduce digital security risk, thereby strengthening trust and supporting digital transformation.

Section 6.3 - Security vulnerabilities are identified and addressed. 

In the 'defined approach requirements', PCI urges organizations to identify vulnerabilities "using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Although Section 6.3 does not make a broad recommendation for covered entities to have CVD/VDPs, it comes close in its guidance for in-house developed software. Specifically, it states "For control over in-house developed software, the organization may receive such information from external sources. The organization can consider using a “bug bounty” program where it posts information (for example, on its website) so third parties can contact the organization with vulnerability information. External sources may include independent investigators or companies that report to the organization about identified vulnerabilities and may include sources such as the Common Vulnerability Scoring System (CVSS) or the OWASP Risk Rating Methodology."