The purpose of this Recommendation is to provide guidance on how to implement the Digital Security Recommendation to develop public policies to foster vulnerability treatment in order to reduce digital security risk, thereby strengthening trust and supporting digital transformation.

Section 6.3 - Security vulnerabilities are identified and addressed. 

In the 'defined approach requirements', PCI urges organizations to identify vulnerabilities "using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs). Although Section 6.3 does not make a broad recommendation for covered entities to have CVD/VDPs, it comes close in its guidance for in-house developed software. Specifically, it states "For control over in-house developed software, the organization may receive such information from external sources. The organization can consider using a “bug bounty” program where it posts information (for example, on its website) so third parties can contact the organization with vulnerability information. External sources may include independent investigators or companies that report to the organization about identified vulnerabilities and may include sources such as the Common Vulnerability Scoring System (CVSS) or the OWASP Risk Rating Methodology."

The manufacturer shall make a vulnerability disclosure policy publicly available. This policy shall include, at a minimum: 

• contact information for the reporting of issues; and 

• information on timelines for: 1) initial acknowledgement of receipt; and 2) status updates until the resolution of the reported issues.

Provides guidance regarding the "essential steps" companies should take when deciding to implement a VDP. ESTI explicitly states that the document is not intended to a 'comprehensive' guide.

Recommends and outlines best practices for "Informers" and "System Owners". The policy also explains in which cases SingCERT can/cannot act as a conduit between Informers and System Owners. Broadly speaking, "SingCERT supports RVD as a means of fostering cooperation between System Owner(s) and the wider cybersecurity community, so as to improve cybersecurity and build a trusted and resilient cyberspace."

"System Owners are encouraged to develop their own vulnerability disclosure policies setting out how vulnerability reports will be received and handled, what the reports should contain, approaches for disclosure to affected users and the public, as well as any rewards policies." They are also encouraged to keep open contact with the former to take in more information and to update SingCERT and the Informer of its assessments. 

If the Informer cannot reach the System Owner for some reason, SingCERT can act as a liaison between the two. For this process, that informer would report the vulnerability to SingCERT via email. 
 

Version 2.0 of this manual was released in October 2024.