U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

Vulnerability Disclosure Guidance

References Associated with Vulnerability Disclosure

References

ISO/IEC 29147 
International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/72311.html

ISO/IEC 30111
International Organization for Standardization/International Electrotechnical Commission (2019) ISO/IEC 30111:2019 – Information technology – Security techniques – Vulnerability handling processes (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/69725.html

ISO/IEC 27002
International Organization for Standardization/International Electrotechnical Commission (2013) ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/54533.html

DHS VDP Template
Department of Homeland Security (DHS) Vulnerability Disclosure Policy (VDP) Template. Available at https://cyber.dhs.gov/bod/20-01/vdp-template/

DOD VDP
U.S. Department of Defense, Cyber Crime Center (2016) Vulnerability Disclosure Program (VDP). (U.S. Department of Defense, Washington, DC). Available at https://www.dc3.mil/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/

CISA CVD
Cybersecurity & Infrastructure Security Agency (CISA) (2017) Coordinated Vulnerability Disclosure (CVD) Process. Available at https://www.cisa.gov/coordinated-vulnerability-disclosure-process 

DOJ VDP
U.S. Department of Justice, Criminal Division, Cybersecurity Unit (2017) A Framework for a Vulnerability Disclosure Program for Online Systems. (U.S. Department of Justice, Washington, DC). Available at https://www.justice.gov/criminal-ccips/page/file/983996/download

GSA TTS PDV
U.S. General Services Administration, Technology Transformation Services. Public Disclosure of Vulnerabilities. Available at https://handbook.tts.gsa.gov/responding-to-public-disclosure-vulnerabilities/

NISTIR 8246
Byers R, Waltermire D, Turner C (2020) Collaborative Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities (CNAs) and Authorized Data Publishers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8246. https://doi.org/10.6028/NIST.IR.8246

Additional Pages

Related Guidance

Contacts

Kim Schaffer
kim.schaffer@nist.gov

Created February 04, 2021, Updated June 07, 2021