https://www.hackerone.com/ en https://www.hackerone.com/node/2376 Code of Practice for Software Vendors h1_admin Mon, 07/29/2024 - 16:24 Jurisdiction United Kingdom Region Europe Requirement Recommended *Coming Soon Organization Department of Science, Innovation, & Technology Provision Principle 3.2 Applies to Software developers, distributors, and resellers Date TBD Description 3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  Associated technical control: Implement a vulnerability disclosure policy. (The organisation publishes a vulnerability disclosure policy which provides a public point of contact in order that security researchers and others are able to report issues. Disclosed vulnerabilities are then reported to relevant parties (outlined in the implementation guidance) and acted on in a timely manner.) https://www.gov.uk/government/calls-for-evidence/call-for-views-on-the-code-of-… ]]> Mon, 29 Jul 2024 21:24:38 +0000 h1_admin 2376 at https://www.hackerone.com https://www.hackerone.com/node/2375 Cyber Security of AI h1_admin Mon, 07/29/2024 - 16:23 Jurisdiction United Kingdom Region Europe Requirement Recommended *Coming Soon Organization Department of Science, Innovation, & Technology Provision Principle 6.3, Principle 11.2 Applies to Developers and System Operators Date TBD Description 6.3 Developers and System Operators shall implement and publish an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  11.2 Developers shall provide security updates and patches, where possible, and notify System Operators and End-users of the security updates. 11.2.1 In instances where updates can’t be provided, Developers shall have mechanisms for escalating issues to the wider community, particularly customers and other Developers. To help deliver this, they could publish bulletins responding to vulnerability disclosures, including detailed and complete common vulnerability enumeration.  https://www.gov.uk/government/calls-for-evidence/call-for-views-on-the-cyber-se… ]]> Mon, 29 Jul 2024 21:23:13 +0000 h1_admin 2375 at https://www.hackerone.com https://www.hackerone.com/node/2369 National Cybersecurity Strategy IV (2021-2025) h1_admin Mon, 07/29/2024 - 15:52 Jurisdiction Luxembourg Region Europe Requirement Recommended *Coming Soon Organization High Commission for National Protection Provision Objective 1.5 Applies to TBD Date October 2021 Description The Government will propose the necessary legislative changes and initiatives to make possible or deepen different approaches in order to improve cybersecurity by using the collective intelligence of security researchers, private companies active in the search for vulnerabilities and any users who discover a security breach. The possibility of creating, in the near future, a platform at GOVCERT.LU that encourages researchers to report bugs, especially those associated with vulnerabilities, will be analysed. ]]> Mon, 29 Jul 2024 20:52:30 +0000 h1_admin 2369 at https://www.hackerone.com https://www.hackerone.com/node/2367 The Cybersecurity Strategy of Latvia 2023-2026 h1_admin Mon, 07/29/2024 - 15:42 Jurisdiction Latvia Region Europe Requirement Recommended *Coming Soon Organization Ministry of Defense Provision Directive 1 (Page 20) Applies to Institutions Date 2023 Description The newly created National Cybersecurity Centre will oversee - with the assistance of the Constitution Protection Bureau - the voluntary implementation of a coordinated vulenrabilty disclosure process within institutions in line with NIS2. https://www.mod.gov.lv/sites/mod/files/document/Kiberdrosibas%20strategija%2020… ]]> Mon, 29 Jul 2024 20:42:35 +0000 h1_admin 2367 at https://www.hackerone.com https://www.hackerone.com/node/2365 Cyber Security Strategy for Germany 2021 h1_admin Mon, 07/29/2024 - 15:15 Jurisdiction Germany Region Europe Requirement Recommended *Coming Soon Organization Federal Ministry of the Interior, Building, and Community Provision Section 8.1.8 Applies to Government agencies Date 2021 Description 8.1.8 Responding responsibly to vulnerabilities – promoting coordinated vulnerability Our aim is for the Federal Government to develop a framework to ensure that those reporting bugs have legal certainty if they approach companies to inform them that they have become aware of vulnerabilities, with a view to fostering proactive vulnerability governance. There will be reliable points of contact for them to report their findings. These can take the form of internal contact points which companies themselves are obligated to set up, or the BSI as a public liaison office. The legislator will obligate the companies affected to provide points of contact and processes to enable them to fix reported vulnerabilities in a suitable time frame. The extent to which the rights and duties are set out on both sides of the CVD process will be examined. These rights and duties could include a holdback period before making vulnerabilities public or a binding deadline for patches or updates. A coordinated process will be put in place between the BSI and manufacturers which extends beyond the simple exchange of information. This will also apply to vulnerabilities in the IT supply chains of products and services (supply chain security). https://www.bmi.bund.de/SharedDocs/downloads/EN/themen/it-digital-policy/cyber-… ]]> Mon, 29 Jul 2024 20:15:42 +0000 h1_admin 2365 at https://www.hackerone.com https://www.hackerone.com/node/2364 The Danish National Strategy for Cyber and Information Security h1_admin Mon, 07/29/2024 - 15:14 Jurisdiction Denmark Region Europe Requirement Recommended *Coming Soon Organization Danish Government Provision Appendix 1.12 Applies to Government agencies Date December 2021 Description A pilot of a government CVD (Coordinated Vulnerability Disclosure) policy will be launched. A government CVD policy will describe the framework for government agencies to allow private individuals (“helpful hackers”) to identify and report vulnerabilities in ICT systems. https://en.digst.dk/media/27024/digst_ncis_2022-2024_uk.pdf ]]> Mon, 29 Jul 2024 20:14:10 +0000 h1_admin 2364 at https://www.hackerone.com https://www.hackerone.com/node/2363 Action Plan for the National Cybersecurity Strategy of the Czech Republic 2021-2025 h1_admin Mon, 07/29/2024 - 15:12 Jurisdiction Czechia Region Europe Requirement Recommended *Coming Soon Organization National Cyber and Information Security Agency (NÚKIB) Provision Code 11 Applies to TBD Date TBD Description Czechia's NUKIB will "draft a national policy proposal for the coordinated disclosure of vulnerabilities" by Q4 2021. https://www.nukib.cz/download/publications_en/strategy_action_plan/NSKB-AP_ENG… ]]> Mon, 29 Jul 2024 20:12:17 +0000 h1_admin 2363 at https://www.hackerone.com