Provides CVD best practices for political leadership/policymakers, manufacturers/vendors, users, reporters, legal professionals, and national CSIRTs. It also explains 8 key challenges, including conflicts between involved stakeholders; failure to patch after disclosure; and sale of zero-day vulnerabilities.

Date

2017

Organization

Global Forum on Cyber Expertise

View source

Jurisdiction

International / Standards Bodies

Region

Europe

Requirement

Recommended

Policy

Decision No. 1202 - OSCE Confidence-Building Measures to Reduce the Risks of Conflict Stemming from the Use of Information and Communication Technologies

Applies to

OSCE Member States

Provision

CBM 16

Description

Participating States will, on a voluntary basis, encourage responsible reporting of vulnerabilities affecting the security of and in the use of ICTs and share associated information on available remedies to such vulnerabilities, including with relevant segments of the ICT business and industry, with the goal of increasing co-operation and transparency within the OSCE region. OSCE participating States agree that such information exchange, when occurring between States, should use appropriately authorized and protected communication channels, including the contact points designated in line with CBM 8 of Permanent Council Decision No. 1106, with a view to avoiding duplication.

Date

March 2016

Organization

Organization for Security and Co-operation in Europe (OSCE)

View source

Jurisdiction

International / Standards Bodies

Region

International

Requirement

Recommended

Policy

Payment Card Industry Data Security Standard (PCI-DSS) 4.0

Applies to

Organizations that use or facilitate payments with major credit card issuers

Provision

6.3.1

Description

Section 6.3 - Security vulnerabilities are identified and addressed.

In the 'defined approach requirements', PCI urges organizations to identify vulnerabilities "using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Although Section 6.3 does not make a broad recommendation for covered entities to have CVD/VDPs, it comes close in its guidance for in-house developed software. Specifically, it states "For control over in-house developed software, the organization may receive such information from external sources. The organization can consider using a “bug bounty” program where it posts information (for example, on its website) so third parties can contact the organization with vulnerability information. External sources may include independent investigators or companies that report to the organization about identified vulnerabilities and may include sources such as the Common Vulnerability Scoring System (CVSS) or the OWASP Risk Rating Methodology."

Date

March 2022

Organization

Payment Card Industry Security Standards Council (PCI-SSC)

View source

Jurisdiction

International / Standards Bodies

Region

Europe

Requirement

Recommended

Policy

ETSI 303 645

Applies to

Manufacturers

Provision

Provision 5.2-1

Description

The manufacturer shall make a vulnerability disclosure policy publicly available. This policy shall include, at a minimum:

• contact information for the reporting of issues; and

• information on timelines for: 1) initial acknowledgement of receipt; and 2) status updates until the resolution of the reported issues.

Date

June 2020

Organization

ETSI - European Telecommunications Standards Institute

View source

Jurisdiction

International / Standards Bodies

Region

Europe

Requirement

Recommended

Policy

ESTI TR 103 838, Cyber Security; Guide to Coordinated Vulnerability Disclosure

Applies to

Companies and organizations

Provision

N/A

Description

Provides guidance regarding the "essential steps" companies should take when deciding to implement a VDP. ESTI explicitly states that the document is not intended to a 'comprehensive' guide.

Date

January 2022

Organization

ETSI - European Telecommunications Standards Institute

View source

Jurisdiction

Singapore

Region

Asia/Pacific

Requirement

Recommended

Policy

Responsible Vulnerability Disclosure Policy

Applies to

System Owners

Provision

Responsible Disclosure Guidelines

Description

Recommends and outlines best practices for "Informers" and "System Owners". The policy also explains in which cases SingCERT can/cannot act as a conduit between Informers and System Owners. Broadly speaking, "SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace." "System Owners are encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies." They are also encouraged to keep open contact with the former to take in more information and to update SingCERT and the Informer of its assessments. If the Informer cannot reach the System Owner for some reason, SingCERT can act as a liaison between the two. For this process, that informer would report the vulnerability to SingCERT via email.
Version 2.0 of this manual was released in October 2024.

Date

October 2024

Organization

Cyber Security Agency of Singapore / SingCERT

View source

Jurisdiction

Japan

Region

Asia/Pacific

Requirement

Recommended

Policy

Information Security Early Warning Partnership Guideline

Applies to

Software Developers and Website Developers

Provision

N/A

Description

Japan's Information-Technology, Promotion Agency (IPA) has a policy of collecting information from informers and, either by itself, or through JPCERT/CC, passes that information onto the relevant parties. IPA handles website vulnerabilities and JPCERT/CC handles software vulnerabilities. According to IPA, the process is in alignment with ISO/IEC 29147:2014 (which as noted with regards to the US FDA's regulations, was updated in 2018). In 2024, Japan's "Standards for Handling Vulnerability-related Information of Software Products and Others" were partially amended to enhance the coordination and communication processes among stakeholders, including finders, software developers, and website operators, thereby improving the overall management and disclosure of vulnerability-related information.

Date

September 2024

Organization

IPA / JPCERT

View source

Jurisdiction

New Zealand

Region

Asia/Pacific

Requirement

Recommended

Policy

Information Security Manual (ISM)

Applies to

New Zealand Government departments, agencies and organizations; Crown entities, local government and private sector organizations

Provision

Objective 5.9

Description

Objective 5.9.1. Agencies implement a Vulnerability Disclosure Policy (VDP) to enable members of the public to report vulnerabilities in the agency’s public-facing systems and applications and receive feedback on such reports. Objective 5.9.20. A VDP will typically include: A scoping statement setting out which systems the policy applies to (e.g. the agency’s website and other public-facing systems); Details of how finders can contact the agency’s security team (including any public keys for encrypting reports); Permitted activities; Acknowledgement of reports and a response time (typically 60 or 90 days) for corrections, adjustments, or other “fixes”; Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, to let the organisation fix the issues before it becomes public; Illegal activities are not permitted (specifying any relevant legislation, such as the Crimes Act, the Privacy Act etc.); and Either a statement that bug bounties will not be paid for any discoveries, or information about the agency’s bug bounty programme. Version 3.8 of this manual was released in September 2024.

Date

September 2024

Organization

Government Communications Security Bureau

View source

Subscribe to Recommended