U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

This is an archive
(replace .gov by .rip)

Vulnerability Disclosure Guidance


NIST has been tasked with creating guidelines for reporting, coordinating, publishing, and receiving​ information about security vulnerabilities​, as part of the Internet of Things Cybersecurity Improvement Act of 2020, Public Law 116-207, and in alignment with ISO/IEC 29147 and 30111 whenever practical. 

The guidelines address:

  • Establishing a federal vulnerability disclosure framework, including the Federal Coordination Body (FCB) and Vulnerability Disclosure Program Offices (VDPOs) 
  • Receiving information about a potential security vulnerability in an information system owned or controlled by a government agency (including an Internet of Things device)
  • Disseminating information about the resolution of a security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device)

Draft Special Publication (SP) 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, is available for comment, and a link is provided under Publications on this page. SP 800-216 recommends guidance for establishing a federal vulnerability disclosure framework and highlights the importance of properly handling vulnerability reports and ensuring clear communications to minimize or eliminate vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.

NIST will continue to work with other government agencies – including OMB, DoD and DHS – in order to support a government-wide process of accepting, confirming, analyzing, solving, and deploying vulnerability disclosures. 

Please send comments to NIST-Federal-Vulnerability-Disclosure-Guidance-Feedback@nist.gov

Created February 04, 2021, Updated June 07, 2021