North America https://www.hackerone.com/ en Cyber Security Self-Assessment https://www.hackerone.com/node/2358 Cyber Security Self-Assessment h1_admin Mon, 07/29/2024 - 13:18 Jurisdiction Canada Region North America Requirement Recommended Organization Office of the Superintendent of Financial Institutions (OSFI) Provision Item 42 Applies to Federally regulated financial institutions (FRFIs) in Canada Date August 2021 Description

The FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services.

https://www.osfi-bsif.gc.ca/Eng/fi-if/in-ai/Pages/cbrsk.aspx ]]> Mon, 29 Jul 2024 18:18:40 +0000 h1_admin 2358 at https://www.hackerone.com Cybersecurity in the Marine Transportation System https://www.hackerone.com/node/2357 Cybersecurity in the Marine Transportation System h1_admin Mon, 07/29/2024 - 13:10 Jurisdiction United States Region North America Requirement Required *Coming Soon Organization U.S. Coast Guard Provision Sec. 101.650(e)(3)(ii) Applies to U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations Date TBD Description

(3) Routine system maintenance. Each owner or operator or a designated CySO of a vessel, facility, or OCS facility must ensure the following measures for routine system maintenance are in place and documented in Section 6 of the Cybersecurity Plan: 

(i) Ensure patching or implementation of documented compensating controls for all KEVs in critical IT or OT systems, without delay; 

(ii) Maintain a method to receive and act on publicly submitted vulnerabilities; 

(iii) Maintain a method to share threat and vulnerability information with external stakeholders; 

(iv) Ensure there are no exploitable channels directly exposed to internet-accessible systems; 

(v) Ensure no OT is connected to the publicly accessible internet unless explicitly required for operation, and verify that, for any remotely accessible OT system, there is a documented justification; and 

(vi) Conduct vulnerability scans as specified in the Cybersecurity Plan.

https://www.federalregister.gov/documents/2024/02/22/2024-03075/cybersecurity-i… ]]> Mon, 29 Jul 2024 18:10:00 +0000 h1_admin 2357 at https://www.hackerone.com Cyber Related Sanctions FAQs https://www.hackerone.com/node/2356 Cyber Related Sanctions FAQs h1_admin Mon, 07/29/2024 - 12:45 Jurisdiction United States Region North America Requirement Recommended Organization Office of Foreign Assets Control (OFAC) Provision FAQ 448 Applies to Reporters of vulnerabilities / good faith security researchers Date April 2015 Description Question: I conduct cyber-related activities for legitimate educational, network defense, or research purposes only. Am I vulnerable to the application of sanctions under this authority for these activities?  Answer: The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors. Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events. https://ofac.treasury.gov/faqs/448 ]]> Mon, 29 Jul 2024 17:45:50 +0000 h1_admin 2356 at https://www.hackerone.com Vulnerability Disclosure Attitudes and Actions https://www.hackerone.com/node/2355 Vulnerability Disclosure Attitudes and Actions h1_admin Mon, 07/29/2024 - 12:43 Jurisdiction United States Region North America Requirement Recommended Organization National Telecommunications and Information Administration Provision N/A Applies to Organizations Date December 2016 Description In September 2015, the National Telecommunications and Information Administration (NTIA) convened a multi-stakeholder process to investigate software vulnerability disclosure and handling practices. The process was open to any interested participant and included members from business, government, and civil society. Members organized into three working groups to study diferent aspects of vulnerability disclosure and handling. This report is a product of the “Awareness and Adoption Working Group,” which focused on increasing understanding and use of best practices. https://www.ntia.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclo… ]]> Mon, 29 Jul 2024 17:43:53 +0000 h1_admin 2355 at https://www.hackerone.com “Early Stage” Coordinated Vulnerability Disclosure Template Version 1.1 https://www.hackerone.com/node/2354 “Early Stage” Coordinated Vulnerability Disclosure Template Version 1.1 h1_admin Mon, 07/29/2024 - 12:29 Jurisdiction United States Region North America Requirement Recommended Organization National Telecommunications and Information Administration Provision N/A Applies to Companies and organizations, especially those in "safety-critical industries" (e.g., automotive, medical devices, etc.) Date December 2016 Description In 2016, NTIA convened "a multistakeholder process to address principles and practices around security researcher disclosure." The NTIA Safety Working Group produced this document to outline the initial steps an organization can take to improve collaboration withing the context of vulnerability disclosure and remediation. "Much of the discussion targeted the safety-critical industry, in which the potential for harm directly impacts publci safety or causes physical damage (e.g., automobiles or medical devices), but the lessons are easily adaptable by any organization that builds or maintains its own software systems." NTIA's document is broken into the following sections: 1. Introduction: Disclosure and Safety 2. Disclosure Policy: First Steps 3. Template Disclosure Policy 4. Sample Vulnerability Disclosure Policy Template 5. Issues to Consider in Writing a Disclosure Policy https://www.ntia.gov/files/ntia/publications/ntia_vuln_disclosure_early_stage_t… ]]> Mon, 29 Jul 2024 17:29:04 +0000 h1_admin 2354 at https://www.hackerone.com A Framework for a Vulnerability Disclosure Program for Online Systems https://www.hackerone.com/node/2353 A Framework for a Vulnerability Disclosure Program for Online Systems h1_admin Mon, 07/29/2024 - 08:32 Jurisdiction United States Region North America Requirement Recommended Organization U.S. Department of Justice Provision N/A Applies to Organizations Date July 2017 Description A framework to assist organizations interested in instituting a formal vulnerability disclosure program. It provides a rubric of considerations that may inform the content of vulnerability disclosure policies. The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs. Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act. The framework consists of four steps: 1. Design the vulnerability disclosure program2. Plan for administering the vulnerability disclosure program3. Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent4. Implement the vulnerability disclosure program https://www.justice.gov/criminal-ccips/page/file/983996/download ]]> Mon, 29 Jul 2024 13:32:55 +0000 h1_admin 2353 at https://www.hackerone.com FDA Postmarket Guidance for Medical Devices https://www.hackerone.com/node/2352 FDA Postmarket Guidance for Medical Devices h1_admin Fri, 07/26/2024 - 16:11 Jurisdiction United States Region North America Requirement Recommended Organization FDA Provision Sec. V(B), VII Applies to Medical device manufacturers Date December 2016 Description

Section V(B): Manufacturers should implement "Cybersecurity Risk Management Programs" that include "adopting a coordinated vulnerability disclosure policy and practice." Since the rule was published in 2016, it suggests that manufacturers make use of the ISO/IEC 29147:2014 (Information Technology - Security Techniques - Vulnerability Disclosure) Standard, which has since been replaced by a new version in 2018. 

Section VII: Manufacturers should "adopt a coordinated vulnerability disclosure policy and practice that includes acknowledging receipt of the initial vulnerability report to the vulnerability submitter

https://www.fda.gov/media/95862/download ]]> Fri, 26 Jul 2024 21:11:48 +0000 h1_admin 2352 at https://www.hackerone.com NIST Cybersecurity Framework 2.0 https://www.hackerone.com/node/2351 NIST Cybersecurity Framework 2.0 h1_admin Fri, 07/26/2024 - 16:10 Jurisdiction United States Region North America Requirement Recommended Organization NIST Provision ID.RA.08 Applies to All organizations that use the CSF Date February 2024 Description "Processes for receiving, analyzing, and responding to vulnerability disclosures are established" within an organization. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf ]]> Fri, 26 Jul 2024 21:10:02 +0000 h1_admin 2351 at https://www.hackerone.com NIST SP 800-218, Secure Software Development Framework https://www.hackerone.com/node/2350 NIST SP 800-218, Secure Software Development Framework h1_admin Fri, 07/26/2024 - 16:08 Jurisdiction United States Region North America Requirement Recommended Organization NIST Provision RV.1.3 Applies to Software developers Date February 2022 Description RV.1.3: Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf ]]> Fri, 26 Jul 2024 21:08:24 +0000 h1_admin 2350 at https://www.hackerone.com M-23-16, update to memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices https://www.hackerone.com/node/2349 M-23-16, update to memorandum M-22-18, Enhancing the Security of the Software Supply Chain through Secure Software Development Practices h1_admin Fri, 07/26/2024 - 16:04 Jurisdiction United States Region North America Requirement Required Organization OMB Provision Section 4.b of the Self-Attestation Common Form Applies to Software producers that serve the Federal government Date June 9, 2023 Description Requires software producers attest that they have a policy or process to address discovered security vulnerabilities prior to product release. https://www.whitehouse.gov/wp-content/uploads/2023/06/M-23-16-Update-to-M-22-18… ]]> Fri, 26 Jul 2024 21:04:20 +0000 h1_admin 2349 at https://www.hackerone.com