Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Disclosure Guidance

References Associated with Vulnerability Disclosure

References

ISO/IEC 29147 
International Organization for Standardization/International Electrotechnical Commission (2018) ISO/IEC 29147:2018 – Information technology – Security techniques – Vulnerability disclosure (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/72311.html

ISO/IEC 30111
International Organization for Standardization/International Electrotechnical Commission (2019) ISO/IEC 30111:2019 – Information technology – Security techniques – Vulnerability handling processes (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/69725.html

ISO/IEC 27002
International Organization for Standardization/International Electrotechnical Commission (2013) ISO/IEC 27002:2013 – Information technology – Security techniques – Code of practice for information security controls (ISO, Geneva, Switzerland). Available at https://www.iso.org/standard/54533.html

DHS VDP Template
Department of Homeland Security (DHS) Vulnerability Disclosure Policy (VDP) Template. Available at https://cyber.dhs.gov/bod/20-01/vdp-template/

DOD VDP
U.S. Department of Defense, Cyber Crime Center (2016) Vulnerability Disclosure Program (VDP). (U.S. Department of Defense, Washington, DC). Available at https://www.dc3.mil/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/

CISA CVD
Cybersecurity & Infrastructure Security Agency (CISA) (2017) Coordinated Vulnerability Disclosure (CVD) Process. Available at https://www.cisa.gov/coordinated-vulnerability-disclosure-process 

DOJ VDP
U.S. Department of Justice, Criminal Division, Cybersecurity Unit (2017) A Framework for a Vulnerability Disclosure Program for Online Systems. (U.S. Department of Justice, Washington, DC). Available at https://www.justice.gov/criminal-ccips/page/file/983996/download

GSA TTS PDV
U.S. General Services Administration, Technology Transformation Services. Public Disclosure of Vulnerabilities. Available at https://handbook.tts.gsa.gov/responding-to-public-disclosure-vulnerabilities/

NISTIR 8246
Byers R, Waltermire D, Turner C (2020) Collaborative Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities (CNAs) and Authorized Data Publishers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8246. https://doi.org/10.6028/NIST.IR.8246

Created February 04, 2021, Updated May 11, 2023