Jurisdiction
Belgium
Region
Europe
Requirement
Recommended
Policy
Guide to Coordinated Vulnerability Disclosure Policies, Part I: Good Practices
Applies to
Companies and organizations
Provision
N/A
Description

Outlines "good practices" for the content of a CVD and for the overall process of Discovery, Report, Investigate, Deploy a Solution, and (Possibly) Disclose Publicly.

Date
December 2020
Organization
Centre for Cyber Security Belgium
View source
Jurisdiction
Belgium
Region
Europe
Requirement
Recommended
Policy
Cybersecurity Strategy Belgium 2.0 2021-2025
Applies to
Companies and organizations
Provision
Section 3.2.2
Description

Companies and organizations are urged to publish a “Coordinated Vulnerability Disclosure Policy.” Through sectoral authorities, professional organizations and the Cyber Security Coalition Belgium, they will be informed of significant threats or vulnerabilities. Organizations of Vital Interest will also receive targeted and non-public alerts through the CCB’s Early Warning System (EWS).  Additionally, Belgium has established a legal framework (effective February 15, 2023) providing protections for ethical hackers who report vulnerabilities in good faith, ensuring they are not subject to prosecution under certain conditions.

Date
May 2021
Organization
Centre for Cyber Security Belgium
Jurisdiction
European Union
Region
Europe
Requirement
Recommended
Policy
Coordinated Vulnerability Disclosure Policies in the EU
Applies to
EU Member States
Provision
Section 4
Description

Encourages EU member states to implement CVD policies by providing recommendations for how to overcome the associated legal, economic, political, operational, and crisis management challenges. In the document, ENISA also hinted that, in the future, it might provide clear guidance to countries about how to establish a CVD policy, publish countries’ best practices and challenges, and publishing templates upon which countries can draft their policies. Since April 2022, ENISA has published updated guidance and practical templates to assist member states in establishing effective CVD policies.

Date
April 2022
Organization
European Union Agency for Cybersecurity (ENISA)
View source
Jurisdiction
Canada
Region
North America
Requirement
Recommended
Policy
Cyber Security Self-Assessment
Applies to
Federally regulated financial institutions (FRFIs) in Canada
Provision
Item 42
Description

The FRFI has identified reputable sources of vulnerability information, and subscribes to recognized and authoritative vulnerability reporting services.

Date
August 2021
Organization
Office of the Superintendent of Financial Institutions (OSFI)
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Cyber Related Sanctions FAQs
Applies to
Reporters of vulnerabilities / good faith security researchers
Provision
FAQ 448
Description
Question: I conduct cyber-related activities for legitimate educational, network defense, or research purposes only. Am I vulnerable to the application of sanctions under this authority for these activities?  Answer: The measures in this order are directed against significant malicious cyber-enabled activities that have the purpose or effect of causing specific enumerated harms, and are not designed to prevent or interfere with legitimate cyber-enabled academic, business, or non-profit activities. The U.S. government supports efforts by researchers, cybersecurity experts, and network defense specialists to identify, respond to, and repair vulnerabilities that could be exploited by malicious actors. Similarly, these measures are not intended to target persons engaged in legitimate activities to ensure and promote the security of information systems, such as penetration testing and other methodologies, or to prevent or interfere with legitimate cyber-enabled activities undertaken to further academic research or commercial innovation as part of computer security-oriented conventions, competitions, or similar “good faith” events.
Date
April 2015
Organization
Office of Foreign Assets Control (OFAC)
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
Vulnerability Disclosure Attitudes and Actions
Applies to
Organizations
Provision
N/A
Description
In September 2015, the National Telecommunications and Information Administration (NTIA) convened a multi-stakeholder process to investigate software vulnerability disclosure and handling practices. The process was open to any interested participant and included members from business, government, and civil society. Members organized into three working groups to study diferent aspects of vulnerability disclosure and handling. This report is a product of the “Awareness and Adoption Working Group,” which focused on increasing understanding and use of best practices.
Date
December 2016
Organization
National Telecommunications and Information Administration
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
“Early Stage” Coordinated Vulnerability Disclosure Template Version 1.1
Applies to
Companies and organizations, especially those in "safety-critical industries" (e.g., automotive, medical devices, etc.)
Provision
N/A
Description
In 2016, NTIA convened "a multistakeholder process to address principles and practices around security researcher disclosure." The NTIA Safety Working Group produced this document to outline the initial steps an organization can take to improve collaboration withing the context of vulnerability disclosure and remediation. "Much of the discussion targeted the safety-critical industry, in which the potential for harm directly impacts publci safety or causes physical damage (e.g., automobiles or medical devices), but the lessons are easily adaptable by any organization that builds or maintains its own software systems." NTIA's document is broken into the following sections: 1. Introduction: Disclosure and Safety 2. Disclosure Policy: First Steps 3. Template Disclosure Policy 4. Sample Vulnerability Disclosure Policy Template 5. Issues to Consider in Writing a Disclosure Policy
Date
December 2016
Organization
National Telecommunications and Information Administration
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
A Framework for a Vulnerability Disclosure Program for Online Systems
Applies to
Organizations
Provision
N/A
Description
A framework to assist organizations interested in instituting a formal vulnerability disclosure program. It provides a rubric of considerations that may inform the content of vulnerability disclosure policies. The framework does not dictate the form of or objectives for vulnerability disclosure programs; different organizations may have differing goals and priorities for their vulnerability disclosure programs. Instead, the framework outlines a process for designing a vulnerability disclosure program that will clearly describe authorized vulnerability disclosure and discovery conduct, thereby substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act. The framework consists of four steps: 1. Design the vulnerability disclosure program2. Plan for administering the vulnerability disclosure program3. Draft a vulnerability disclosure policy that accurately and unambiguously captures the organization’s intent4. Implement the vulnerability disclosure program
Date
July 2017
Organization
U.S. Department of Justice
View source
Jurisdiction
United States
Region
North America
Requirement
Recommended
Policy
FDA Postmarket Guidance for Medical Devices
Applies to
Medical device manufacturers
Provision
Sec. V(B), VII
Description

Section V(B): Manufacturers should implement "Cybersecurity Risk Management Programs" that include "adopting a coordinated vulnerability disclosure policy and practice." Since the rule was published in 2016, it suggests that manufacturers make use of the ISO/IEC 29147:2014 (Information Technology - Security Techniques - Vulnerability Disclosure) Standard, which has since been replaced by a new version in 2018. 

Section VII: Manufacturers should "adopt a coordinated vulnerability disclosure policy and practice that includes acknowledging receipt of the initial vulnerability report to the vulnerability submitter

Date
December 2016
Organization
FDA
View source