Date: Thu, 28 Mar 2024 21:36:55 -0400 (EDT) Message-ID: <1545773935.533.1711676215202@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_532_1308227653.1711676215199" ------=_Part_532_1308227653.1711676215199 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
In recent years the CERT/CC has ad= vised a number of organizations on their vulnerability disclosure policies.= In the interest of helping others develop or improve their own policies, w= e've collected policy items from a variety of vulnerability disclosure poli= cies including our own, generalized them, organized them by topic, and put = them into a git repository. The = policy templates in this repository are meant to be remixed and adapted for= different organizations and contexts. It is unlikely that any single organ= ization would choose to adopt all of these items wholesale without some mod= ification.
https://github.com/CERTCC/vulnerability_disclosure_policy_templates<= /a>
The NTIA Early Stage Template focuses on vulnerability disclosure policy= development in safety-critical industries, in which the potential for harm= directly impacts public safety or causes physical damage (e.g., automobile= s or medical devices), but the lessons are easily adaptable by any organiza= tion that builds or maintains its own software or systems. A discussion of = issues and template policy is included.
https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_earl= y_stage_template.pdf
disclose.io i= s a cross-industry, vendor-agnostic standardization project for safe harbor=E2=80=A0 best practices t= o enable good-faith security research.
Main web site: https://disclose.io/
Github repository with policy templates: https://git= hub.com/disclose/disclose
BugCrowd and CipherLaw created the Open Source Vulnerability Disclosure = Framework, offered under a Creative Commons Attribution 4.0 International L= icense. The framework "is designed to quickly and smoothly prepare your org= anization to work with the independent security researcher community while = reducing the legal risks to researchers and companies." In addition to a po= licy template "written with both simplicity and legal completeness in mind,= " a guidance document is provided for setting up a vulnerability disclosure= program.
https://github.com/bugcrowd/disclosure-policy
security.txt: A proposed standard which allows websites to define s= ecurity policies.
https://securitytxt.org/ and IETF draft https://tools.ietf.org/html/draft-foudil-securitytxt-08<= /a>
The United States General Services Administration (GSA)'s Technology Tra= nsformation Service (TTS) provides its vulnerability disclosure policy as a= public domain resource.
https://github.com/18F/vulnerability-di= sclosure-policy
The Good Practice Guide on Vulnerability Disclosure from European Union = Agency for Network and Information Security (ENISA) includes an annotated v= ulnerability disclosure policy template as an Annex.
https= ://www.enisa.europa.eu/publications/vulnerability-disclosure/at_download/fu= llReport
The United States Department of Justice (DoJ) has published a white pape= r containing guidance aimed at developing vulnerability disclosure programs= for online systems and services. This report makes a point to distinguish = online systems and services from "third-party vulnerability disclosure and = hands-on=E2=80=94rather than remote=E2=80=94examination of software, device= s, or hardware" because of potentially distinct legal issues that may arise= .
https://www.justice.gov/crimi= nal-ccips/page/file/983996/download
The aforementioned report is one of many related white papers provided b= y the DoJ's Computer Crime and Intellectual Property section.
https://www.justice.gov/cri= minal-ccips/ccips-documents-and-reports
Numerous organizations have already posted their vulnerability disclosur= e policies. A wide variety of these policies can be found by searching the = web for "vulnerability disclosure policy," or "vulnerability disclosure program," or by browsing third= -party vulnerability disclosure (e.g., bug bounty) service providers' hoste= d programs.