C.6 Vulnerability Disclosure Program 

60. Requirement 4 mandates that all entities must have in place a vulnerability disclosure program. This includes having a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities disclosed by both internal and external sources. 

61. Implementing a vulnerability disclosure program, based on responsible disclosure, can assist entities, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of a reported security vulnerability, it can assist entities, vendors and service providers in notifying their customers of any security vulnerabilities that have been discovered in their products and services and any recommended security patches, updates or mitigations. 

62. For guidance on the creation and maintenance of vulnerability disclosure programs, see the Information Security Manual and Guidelines for Software Development.

7.1.4. Item 6.1.5 - Disponibilizar um canal de comunicação que possibilite aos seus clientes, usuários finais e terceiros notificarem vulnerabilidades de segurança identificadas nos produtos. 

7.1.4.1. Este canal deve: a) ser exclusivo para a notificação de vulnerabilidades; e b) implementar comunicações seguras como, por exemplo: formulário web com uso de HTTPS, e-mail criptografado com PGP ou outro esquema de chave pública (a chave pública associada ao endereço de e-mail deve ser disponibilizada para que os interessados possam, se assim desejarem, enviar mensagens cifradas). 

7.1.5. Item 6.1.6 - Possuir implementado processo de Divulgação Coordenada de Vulnerabilidades baseados em boas práticas e recomendações reconhecidas internacionalmente, tais como as referências 2.6 a 2.8 deste documento. 

7.1.5.1. A Política de Divulgação Coordenada de Vulnerabilidade do fornecedor deve ser publicada em sua página na Internet e deve contemplar, no mínimo, os seguintes itens: a) Os objetivos do fornecedor, suas responsabilidades, bem como o que ele espera de outras partes interessadas. b) Como deseja ser notificado (ex.: e-mail, formulário em página na Internet) e os respectivos contatos (ex.: endereço de e-mail, URL de formulário web). c) Detalhamento das opções de comunicação segura (ex.: chave PGP para e-mail, formulário seguro via HTTPS). d) Quais informações o notificador deve incluir na notificação. e) O que o notificador deve esperar após reportar uma vulnerabilidade como, por exemplo: reconhecimento do recebimento da notificação, reconhecimento da vulnerabilidade, atualizações na evolução do caso e seus respectivos prazos. f) Orientação sobre o que está dentro e fora do escopo do processo de notificação, suas limitações, etc. 

7.1.4. Item 6.1.5 - Provide a communication channel that allows its customers, end users and third parties to report security vulnerabilities identified in the products. 

7.1.4.1. This channel must: a) be exclusive for the notification of vulnerabilities; and b) implement secure communications such as: web form using HTTPS, email encrypted with PGP or another public key scheme (the public key associated with the email address must be made available so that interested parties can, if they so wish, send encrypted messages). 

7.1.5. Item 6.1.6 - Have implemented a Coordinated Vulnerability Disclosure process based on internationally recognized good practices and recommendations, such as references 2.6 to 2.8 of this document. 7.1.5.1. The supplier's Coordinated Vulnerability Disclosure Policy must be published on its website and must address, at a minimum, the following items: a) The supplier's objectives, its responsibilities, as well as what it expects from other interested parties. b) How you wish to be notified (e.g. email, web form) and your contact details (e.g. email address, web form URL). c) Details of secure communication options (e.g.: PGP key for email, secure form via HTTPS). d) What information the notifier must include in the notification. e) What the notifier should expect after reporting a vulnerability, such as: acknowledgement of receipt of the notification, acknowledgement of the vulnerability, updates on the evolution of the case and their respective deadlines. f) Guidance on what is within and outside the scope of the notification process, its limitations, etc. 

Section I: Clearly Worded VDP: Agency VDPs shall clearly articulate which systems are in scope and the set of security research activities that can be performed against them to protect those who would report vulnerabilities. Federal agencies shall provide clear assurances that good-faith security research is welcomed and authorized. 

Clearly Identified Reporting Mechanism: Each Federal agency shall clearly and publicly identify where and how Federal information system vulnerabilities should be reported. 

Timely Feedback: Federal agencies shall provide timely feedback to good-faith vulnerability reporters. Once a vulnerability is reported, those who report them deserve to know they are being taken seriously and that action is being taken. Agencies should establish clear expectations for regular follow-up communications with the vulnerability reporter, to include an agency-defined timeline for coordinated disclosure.

Good-Faith Security Research is Not an Incident or Breach: Good-faith security research does not itself constitute an incident or breach under the Federal Information Security Modernization Act of 2014 (FISMA) or OMB Memorandum M-17-12. 

Section II: CISA must publish impelementaiton guidance describing the actions agencies should take to incorporate VDPs into their larger information security programs.

Section III: Each federal agency must develop and implement a VDP.