Principle 2: Implement a vulnerability disclosure policy 

IoT device manufacturers, IoT service providers and mobile application developers should provide a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others to report issues. Disclosed vulnerabilities should be acted on in a timely manner. Implementing a bug bounty program encourages and rewards the cyber security community for identifying and reporting vulnerabilities, thereby facilitating the responsible and coordinated disclosure and remediation of vulnerabilities. 

Primarily applies to Device Manufacturers, IoT Service Providers and Mobile Application Developers.

States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure. 

Report adopted by UN General Assembly Resolution 70/237: https://documents.un.org/doc/undoc/gen/n15/457/57/pdf/n1545757.pdf

Además, siguiendo las mejores y más actuales prácticas internacionales, busca fomentar la investigación de vulnerabilidades otorgando protección legal al hacking ético, y promover la notificación de incidentes de ciberseguridad. De aprobarse el proyecto de ley, Chile contará con un marco normativo y una autoridad nacional de ciberseguridad de vanguardia en la región y en el mundo. 

In addition, following the best and most current international practices, it seeks to support vulnerability research by granting legal protection to ethical hacking, and promote the notification of cybersecurity incidents.

Artículo 19. Notificación responsable de vulnerabilidades. No serán aplicables las obligaciones previstas en el artículo 175 del Código Procesal Penal ni en el literal k) del artículo 61 de la ley N° 18.834, sobre Estatuto Administrativo, a los trabajadores de la Agencia respecto de la información que reciban por parte de las personas que les notifiquen vulnerabilidades de ciberseguridad. La Agencia deberá mantener en secreto la notificación, sus antecedentes y la identidad de quien la realice. La identidad de la persona que notifique vulnerabilidades sólo podrá ser revelada con su consentimiento expreso. 

Article 19. Responsible notification of vulnerabilities. The obligations set forth in article 175 of the Criminal Procedure Code and in literal k) of article 61 of Law No. 18,834 on the Administrative Statute shall not apply to Agency employees with respect to information they receive from persons who notify them of cybersecurity vulnerabilities. The Agency must keep the notification, its background, and the identity of the person who made it secret. The identity of the person who notifies vulnerabilities may only be revealed with his or her express consent.

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.

This document is applicable to vendors involved in handling vulnerabilities

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides:

— guidelines on receiving reports about potential vulnerabilities;

— guidelines on disclosing vulnerability remediation information;

— terms and definitions that are specific to vulnerability disclosure;

— an overview of vulnerability disclosure concepts;

— techniques and policy considerations for vulnerability disclosure;

— examples of techniques, policies (Annex A), and communications (Annex B).

Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111.

This good practice guidance aims to provide policy makers with an overarching understanding of the co-ordination of digital security vulnerabilities in practice, while avoiding technical jargon and detailed considerations. It may also help technical security experts to communicate with policy makers and non-technical experts in their organisation such as CEOs, board members, communication, and legal departments, etc. This document is expected to be sufficiently consistent with technical standards and other guides targeting technical experts in this area, does not aim to replace them, but rather helps raise awareness about their existence and the need for practitioners to use them.

The purpose of this Recommendation is to provide guidance on how to implement the Digital Security Recommendation to develop public policies to foster vulnerability treatment in order to reduce digital security risk, thereby strengthening trust and supporting digital transformation.