Protective Security Policy Framework - Policy 11 - Robust ICT Systems

C.6 Vulnerability Disclosure Program 

60. Requirement 4 mandates that all entities must have in place a vulnerability disclosure program. This includes having a publicly available vulnerability disclosure policy supported by processes and procedures for receiving, verifying, resolving and reporting on security vulnerabilities disclosed by both internal and external sources. 

61. Implementing a vulnerability disclosure program, based on responsible disclosure, can assist entities, vendors and service providers to improve the security of their products and services as it provides a way for security researchers, customers and members of the public to responsibly notify them of potential security vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of a reported security vulnerability, it can assist entities, vendors and service providers in notifying their customers of any security vulnerabilities that have been discovered in their products and services and any recommended security patches, updates or mitigations. 

62. For guidance on the creation and maintenance of vulnerability disclosure programs, see the Information Security Manual and Guidelines for Software Development.

A new iteration of the Guidelines for Software Development, including updated guidance on vulnerability disclosure programs, was published in March 2025.