A Framework for a Vulnerability Disclosure Program for Online Systems

A framework to assist organizations interested in instituting a formal vulnerability disclosure program. It provides a rubric of considerations that may inform the content of vulnerability disclosure policies. The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs. Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act. The framework consists of four steps: 1. Design the vulnerability disclosure program2. Plan for administering the vulnerability disclosure program3. Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent4. Implement the vulnerability disclosure program