Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies.

Question: I conduct cyber-related activities for legitimate educational, network defense, or research purposes only. Am I vulnerable to the application of sanctions under this authority for these activities?  Answer: The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors. Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events.

In September 2015, the National Telecommunications and Information Administration (NTIA) convened a multi-stakeholder process to investigate software vulnerability disclosure and handling practices. The process was open to any interested participant and included members from business, government, and civil society. Members organized into three working groups to study diferent aspects of vulnerability disclosure and handling. This report is a product of the “Awareness and Adoption Working Group,” which focused on increasing understanding and use of best practices.

In 2016, NTIA convened "a multistakeholder process to address principles and practices around security researcher disclosure." The NTIA Safety Working Group produced this document to outline the initial steps an organization can take to improve collaboration withing the context of vulnerability disclosure and remediation. "Much of the discussion targeted the safety-critical industry, in which the potential for harm directly impacts publci safety or causes physical damage (e.g., automobiles or medical devices), but the lessons are easily adaptable by any organization that builds or maintains its own software systems." NTIA's document is broken into the following sections: 1. Introduction: Disclosure and Safety 2. Disclosure Policy: First Steps 3. Template Disclosure Policy 4. Sample Vulnerability Disclosure Policy Template 5. Issues to Consider in Writing a Disclosure Policy

A framework to assist organizations interested in instituting a formal vulnerability disclosure program. It provides a rubric of considerations that may inform the content of vulnerability disclosure policies. The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs. Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act. The framework consists of four steps: 1. Design the vulnerability disclosure program2. Plan for administering the vulnerability disclosure program3. Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent4. Implement the vulnerability disclosure program

"Processes for receiving, analyzing, and responding to vulnerability disclosures are established" within an organization.

RV.1.3: Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.