P-SSCRM Documentation

D.1.3 Vulnerability disclosure

Control Details

Objective

Aid organizations in responding to vulnerabilities to reduce the window of opportunity for attackers

Definition

Have a policy that invokes vulnerability disclosure and remediation, and organizational response. Implement the roles, responsibilities, and processes needed to support that policy, including a Product Security Incident Response Team (PSIRT) to handle responses to vulnerability reports and incidents. The disclosure program will require insight from internal stakeholders, such as legal, marketing, and public relations.

Assessment Questions

  1. What is your process for addressing vulnerability disclosure and remediation with roles, responsibilities, and processes in place?
  2. How do you develop and release security advisories to your software acquirers?
  3. How do you publish a security policy (e.g. via a security.md file) to inform users about a vulnerability and how to report it?
  4. How do users know how to report vulnerabilities?
  5. Who handles PSIRT?

Reference sources

  1. EO 4e(viii)
  2. SSDF RV.1.3
  3. SSDF-AI RV.1.3
  4. BSIMM CMVM1.1 CMVM1.4 CMVM2.4
  5. 800-161 SA-15
  6. S2C2F INV-2
  7. SAMM I-DM-2-A
  8. OSSF-Scorecard security-policy