3.2 Ensure the organisation implements and publishes an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  Associated technical control: Implement a vulnerability disclosure policy. (The organisation publishes a vulnerability disclosure policy which provides a public point of contact in order that security researchers and others are able to report issues. Disclosed vulnerabilities are then reported to relevant parties (outlined in the implementation guidance) and acted on in a timely manner.)

6.3 Developers and System Operators shall implement and publish an effective vulnerability disclosure process to support a transparent and open culture within the organisation.  11.2 Developers shall provide security updates and patches, where possible, and notify System Operators and End-users of the security updates. 11.2.1 In instances where updates can’t be provided, Developers shall have mechanisms for escalating issues to the wider community, particularly customers and other Developers. To help deliver this, they could publish bulletins responding to vulnerability disclosures, including detailed and complete common vulnerability enumeration. 

The Government will propose the necessary legislative changes and initiatives to make possible or deepen different approaches in order to improve cybersecurity by using the collective intelligence of security researchers, private companies active in the search for vulnerabilities and any users who discover a security breach. The possibility of creating, in the near future, a platform at GOVCERT.LU that encourages researchers to report bugs, especially those associated with vulnerabilities, will be analysed.

The newly created National Cybersecurity Centre will oversee - with the assistance of the Constitution Protection Bureau - the voluntary implementation of a coordinated vulenrabilty disclosure process within institutions in line with NIS2.

8.1.8 Responding responsibly to vulnerabilities – promoting coordinated vulnerability Our aim is for the Federal Government to develop a framework to ensure that those reporting bugs have legal certainty if they approach companies to inform them that they have become aware of vulnerabilities, with a view to fostering proactive vulnerability governance. There will be reliable points of contact for them to report their findings. These can take the form of internal contact points which companies themselves are obligated to set up, or the BSI as a public liaison office. The legislator will obligate the companies affected to provide points of contact and processes to enable them to fix reported vulnerabilities in a suitable time frame. The extent to which the rights and duties are set out on both sides of the CVD process will be examined. These rights and duties could include a holdback period before making vulnerabilities public or a binding deadline for patches or updates. A coordinated process will be put in place between the BSI and manufacturers which extends beyond the simple exchange of information. This will also apply to vulnerabilities in the IT supply chains of products and services (supply chain security).