Payment Card Industry Data Security Standard (PCI-DSS) 4.0

Section 6.3 - Security vulnerabilities are identified and addressed. 

In the 'defined approach requirements', PCI urges organizations to identify vulnerabilities "using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Although Section 6.3 does not make a broad recommendation for covered entities to have CVD/VDPs, it comes close in its guidance for in-house developed software. Specifically, it states "For control over in-house developed software, the organization may receive such information from external sources. The organization can consider using a “bug bounty” program where it posts information (for example, on its website) so third parties can contact the organization with vulnerability information. External sources may include independent investigators or companies that report to the organization about identified vulnerabilities and may include sources such as the Common Vulnerability Scoring System (CVSS) or the OWASP Risk Rating Methodology."