(TLP:CLEAR) CISA and International Partners Publish Guidance on Establishing Coordinated Vulnerability Disclosure Programs
Created: Thursday, July 16, 2026 - 14:56
Categories: Cybersecurity, Federal & State Resources, Security Preparedness
Summary: Yesterday, CISA, NSA, and international partners published joint guidance outlining best practices for software manufacturers and online service providers to establish coordinated vulnerability disclosure (CVD) programs. The guidance covers creating and publishing a vulnerability disclosure policy; defining processes to triage, remediate, and assign common vulnerabilities and exposures (CVE) identifiers to reported vulnerabilities; and leveraging third-party coordinators such as CISA to substitute or supplement an in-house program. It also recommends safe harbor language assuring researchers that good-faith work will not trigger legal action and includes a sample provision suppliers can adapt.
Analyst Note: While the guidance targets suppliers, it offers members a useful lens for evaluating the vendors behind their IT and OT systems. A supplier with a published disclosure policy, timely CVE records, and transparent advisories is more likely to surface and fix flaws before adversaries exploit them. Members can consider a vendor’s CVD posture during procurement and confirm how their SCADA and ICS suppliers accept and disclose vulnerability reports. Utilities that operate public-facing web services can also adapt these practices to receive good-faith reports about their own systems.
Original Source: https://www.cisa.gov/resources-tools/resources/establishing-coordinated-vulnerability-disclosure-program-work-security-researchers
Additional Reading:
- CISA Coordinated Vulnerability Disclosure Program
- CISA Secure by Design
- NCSC-UK Vulnerability Disclosure Toolkit
Related WaterISAC PIRs: 8, 12
