Asia/Pacific

Protective Security Policy Framework - Policy 11 - Robust ICT Systems

h1_admin — Wed, 09 Oct 2024 17:52:21 +0000

Protective Security Policy Framework - Policy 11 - Robust ICT Systems h1_admin Wed, 10/09/2024 - 12:52 Jurisdiction Australia Region Asia/Pacific Requirement Required Organization Australian Department of Home Affairs Provision C.6 Applies to Australian Government entities Date July 29, 2022 Description

C.6 Vulnerability Disclosure Program

60. Requirement 4 mandates that all entities must have in place a vulnerability disclosure program. This includes having a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities disclosed by both internal and external sources.

61. Implementing a vulnerability disclosure program, based on responsible disclosure, can assist entities, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of a reported security vulnerability, it can assist entities, vendors and service providers in notifying their customers of any security vulnerabilities that have been discovered in their products and services and any recommended security patches, updates or mitigations.

62. For guidance on the creation and maintenance of vulnerability disclosure programs, see the Information Security Manual and Guidelines for Software Development.

https://www.protectivesecurity.gov.au/system/files/2024-02/policy-11-robust-ict…

Code of Practice: Securing the Internet of Things for Consumers

h1_admin — Wed, 09 Oct 2024 13:52:19 +0000

Code of Practice: Securing the Internet of Things for Consumers h1_admin Wed, 10/09/2024 - 08:52 Jurisdiction Australia Region Asia/Pacific Requirement Recommended Organization Australian Government Provision Principle 2 Applies to Device Manufacturers, IoT Service Providers and Mobile Application Developers Date 2020 Description

Principle 2: Implement a vulnerability disclosure policy

IoT device manufacturers, IoT service providers and mobile application developers should provide a public point of contact as part of a vulnerability disclosure policy in order for security researchers and others to report issues. Disclosed vulnerabilities should be acted on in a timely manner. Implementing a bug bounty program encourages and rewards the cyber security community for identifying and reporting vulnerabilities, thereby facilitating the responsible and coordinated disclosure and remediation of vulnerabilities.

Primarily applies to Device Manufacturers, IoT Service Providers and Mobile Application Developers.

https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf

Regulations on the Management of Security Vulnerabilities in Network Products

h1_admin — Mon, 29 Jul 2024 21:45:48 +0000

Regulations on the Management of Security Vulnerabilities in Network Products h1_admin Mon, 07/29/2024 - 16:45 Jurisdiction People's Republic of China Region Asia/Pacific Requirement Required Organization Ministry of Industry and Information Technology Provision Article 5, Article 6 Applies to Network product providers, network operators and network product security vulnerability collection platforms Date July 2021 Description Article 5: Network product providers, network operators and network product security vulnerability collection platforms shall establish and improve channels for receiving network product security vulnerability information and keep them open, and retain network product security vulnerability information receiving logs for no less than 6 months. Article 6: "Encourages relevant organizations and individuals to report security vulnerabilities in their products to network product providers" and "Encourage network product providers to establish a reward mechanism for security vulnerabilities in the network products they provide, and reward organizations or individuals who discover and report security vulnerabilities in the network products they provide." http://www.cac.gov.cn/2021-07/13/c_1627761607640342.htm

Responsible Vulnerability Disclosure Policy

h1_admin — Mon, 29 Jul 2024 21:44:10 +0000

Responsible Vulnerability Disclosure Policy h1_admin Mon, 07/29/2024 - 16:44 Jurisdiction Singapore Region Asia/Pacific Requirement Recommended Organization Cyber Security Agency of Singapore / SingCERT Provision Responsible Disclosure Guidelines Applies to System Owners Date October 2024 Description Recommends and outlines best practices for "Informers" and "System Owners". The policy also explains in which cases SingCERT can/cannot act as a conduit between Informers and System Owners. Broadly speaking, "SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace." "System Owners are encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies." They are also encouraged to keep open contact with the former to take in more information and to update SingCERT and the Informer of its assessments. If the Informer cannot reach the System Owner for some reason, SingCERT can act as a liaison between the two. For this process, that informer would report the vulnerability to SingCERT via email.
Version 2.0 of this manual was released in October 2024. https://www.csa.gov.sg/Tips-Resource/Resources/singcert/singcert-vulnerability-…

Information Security Early Warning Partnership Guideline

h1_admin — Mon, 29 Jul 2024 21:38:05 +0000

Information Security Early Warning Partnership Guideline h1_admin Mon, 07/29/2024 - 16:38 Jurisdiction Japan Region Asia/Pacific Requirement Recommended Organization IPA / JPCERT Provision N/A Applies to Software Developers and Website Developers Date September 2024 Description Japan's Information-Technology, Promotion Agency (IPA) has a policy of collecting information from informers and, either by itself, or through JPCERT/CC, passes that information onto the relevant parties. IPA handles website vulnerabilities and JPCERT/CC handles software vulnerabilities. According to IPA, the process is in alignment with ISO/IEC 29147:2014 (which as noted with regards to the US FDA's regulations, was updated in 2018). In 2024, Japan's "Standards for Handling Vulnerability-related Information of Software Products and Others" were partially amended to enhance the coordination and communication processes among stakeholders, including finders, software developers, and website operators, thereby improving the overall management and disclosure of vulnerability-related information. https://www.ipa.go.jp/en/security/vulnerabilities/partnership.html

Information Security Manual (ISM)

h1_admin — Mon, 29 Jul 2024 21:31:47 +0000

Information Security Manual (ISM) h1_admin Mon, 07/29/2024 - 16:31 Jurisdiction New Zealand Region Asia/Pacific Requirement Recommended Organization Government Communications Security Bureau Provision Objective 5.9 Applies to New Zealand Government departments, agencies and organizations; Crown entities, local government and private sector organizations Date September 2024 Description Objective 5.9.1. Agencies implement a Vulnerability Disclosure Policy (VDP) to enable members of the public to report vulnerabilities in the agency’s public-facing systems and applications and receive feedback on such reports. Objective 5.9.20. A VDP will typically include: A scoping statement setting out which systems the policy applies to (e.g. the agency’s website and other public-facing systems); Details of how finders can contact the agency’s security team (including any public keys for encrypting reports); Permitted activities; Acknowledgement of reports and a response time (typically 60 or 90 days) for corrections, adjustments, or other “fixes”; Reporters/finders agreeing to not share information about the vulnerability until the end of the disclosure period, to let the organisation fix the issues before it becomes public; Illegal activities are not permitted (specifying any relevant legislation, such as the Crimes Act, the Privacy Act etc.); and Either a statement that bug bounties will not be paid for any discoveries, or information about the agency’s bug bounty programme. Version 3.8 of this manual was released in September 2024. https://nzism.gcsb.govt.nz/ism-document/#Section-12947

Information Security Manual (ISM)

h1_admin — Mon, 29 Jul 2024 21:25:49 +0000

Information Security Manual (ISM) h1_admin Mon, 07/29/2024 - 16:25 Jurisdiction Australia Region Asia/Pacific Requirement Recommended Organization Australian Signals Directorate (ASD) Provision Pg. 106 (Controls ISM-1616, ISM-1755, ISM-1756, ISM-1717) Applies to Large companies, Government agencies Date September 2023 Description Control: ISM-1616; Revision: 0; Updated: Aug-20; Applicability: All; Essential Eight: N/A A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services. Control: ISM-1755; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A A vulnerability disclosure policy is developed, implemented and maintained. Control: ISM-1756; Revision: 1; Updated: Dec-22; Applicability: All; Essential Eight: N/A Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained. Control: ISM-1717; Revision: 2; Updated: Sep-23; Applicability: All; Essential Eight: N/A A ‘security.txt’ file is hosted for all internet-facing organisational domains to assist in the responsible disclosure of vulnerabilities in an organisation’s products and services. https://www.cyber.gov.au/sites/default/files/2024-03/Information%20Security%20M…