WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), Netherlands’ National Cyber Security Centre (NCSC-NL), and United Kingdom’s National Cyber Security Centre (NCSC-UK), published Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers.
This guidance helps software manufacturers and online service providers collaborate effectively with security researchers who identify weaknesses in software, networks, and hardware in a structured, transparent framework. A well-defined coordinated vulnerability disclosure (CVD) program enables software manufacturers and online service providers to better assess potential risk, improve their vulnerability management processes, and make informed decisions that improve product security for their customers.
“Coordinated vulnerability disclosure is foundational to building a secure software ecosystem. The practices in this guide help protect customers, strengthen products and support CISA’s Secure by Design initiative, which encourages companies to be transparent and responsible in how they build and maintain their technology,” said Acting Executive Assistant Director for Cybersecurity Chris Butera. “CISA encourages suppliers to establish a coordinated vulnerability disclosure program and build constructive, collaborative relationships with security researchers to enhance product security.”
Security researchers can help software manufacturers and online service providers stay ahead of security issues, but these researchers need a clear and safe way to report the potential vulnerabilities they discover. This guidance outlines best practices for establishing a CVD program that demonstrates commitment to building safe and trustworthy products. A critical element to establishing a beneficial disclosure program is a clear public policy that explains the process, such as how people can report issues, what is allowed during testing, and what both sides should expect during the assessment—including keeping researchers updated so the process is open and builds trust.
For more information, visit CISA.gov – Coordinated Vulnerability Disclosure Program.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to manage, uncover, and reduce risk to our digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.