WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the National Security Agency (NSA), Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), Netherlands’ National Cyber Security Centre (NCSC-NL), and United Kingdom’s National Cyber Security Centre (NCSC-UK), published Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers.
This guidance helps software manufacturers and online service providers collaborate effectively with security researchers who identify weaknesses in software, networks, and hardware in a structured, transparent framework. A well-defined coordinated vulnerability disclosure (CVD) program enables software manufacturers and online service providers to better assess potential risk, improve their vulnerability management processes, and make informed decisions that improve product security for their customers.
"Coordinated vulnerability disclosure is foundational to building a secure software ecosystem. The practices in this guide help protect customers, strengthen products and support CISA’s Secure by Design initiative, which encourages companies to be transparent and responsible in how they build and maintain their technology,” said Acting Executive Assistant Director for Cybersecurity Chris Butera. “CISA encourages suppliers to establish a coordinated vulnerability disclosure program and build constructive, collaborative relationships with security researchers to enhance product security.”
Security researchers can help software manufacturers and online service providers stay ahead of security issues, but these researchers need a clear and safe way to report the potential vulnerabilities they discover. This guidance outlines best practices for establishing a CVD program that demonstrates commitment to building safe and trustworthy products. A critical element to establishing a beneficial disclosure program is a clear public policy that explains the process, such as how people can report issues, what is allowed during testing, and what both sides should expect during the assessment—including keeping researchers updated so the process is open and builds trust.
For more information, visit CISA.gov - Coordinated Vulnerability Disclosure Program.
###
About CISA
As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to manage, uncover, and reduce risk to our digital and physical infrastructure Americans rely on every hour of every day.
Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.
Facts Only
* CISA published guidance on Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers.
* The collaboration involved CISA, NSA, JPCERT/CC, NCSC-NL, and NCSC-UK.
* The guidance helps software manufacturers and online service providers collaborate with security researchers regarding weaknesses in software, networks, and hardware.
* A coordinated vulnerability disclosure (CVD) program enables organizations to assess potential risk and improve vulnerability management.
* Coordinated vulnerability disclosure is foundational to building a secure software ecosystem.
* The practices outlined aim to protect customers and support CISA’s Secure by Design initiative.
* A critical element for a beneficial disclosure program is a clear public policy explaining the process, reporting methods, testing allowances, and expectations for updates.
Executive Summary
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA), JPCERT/CC, NCSC-NL, and NCSC-UK, published guidance establishing a Coordinated Vulnerability Disclosure (CVD) Program for working with security researchers. This guidance aims to facilitate collaboration between software manufacturers and online service providers and security researchers in a structured and transparent framework when identifying weaknesses in software, networks, and hardware.
A coordinated vulnerability disclosure program is intended to enable organizations to better assess potential risk, improve their vulnerability management processes, and make informed decisions that enhance product security for customers. Acting Executive Assistant Director for Cybersecurity Chris Butera stated that coordinated vulnerability disclosure is foundational to a secure software ecosystem and supports the Secure by Design initiative by encouraging transparency from technology builders.
The guidance emphasizes that security researchers require a clear and safe method for reporting discovered vulnerabilities. Establishing a beneficial disclosure program requires a public policy that clearly explains processes, including how issues are reported, permissible testing activities, and expectations for both parties, ensuring ongoing updates to maintain trust within the collaborative relationship.
Full Take
The framework introduced reflects a necessary shift from ad-hoc security responses to formalized, systemic responsibility within the technology supply chain. The emphasis on a coordinated disclosure program addresses a critical friction point: the tension between an entity's need for product security control and a researcher's need for safe, timely reporting. This moves vulnerability management from a reactive patching exercise to a proactive, shared risk assessment model embedded in the development lifecycle.
The underlying pattern concerns trust establishment within complex technical ecosystems. When mechanisms for disclosure are unclear or adversarial, the natural tendency is for actors to withhold information, creating security gaps rather than mitigating them. The success of this guidance hinges not just on the existence of the policy, but on its consistent, transparent execution by all participating entities. A failure in coordination can easily undermine the intent of "Secure by Design" by introducing distrust between developers and the security community, leading to delayed or suppressed disclosures that ultimately increase risk for end-users.
The implication is that security architecture must incorporate social protocols as rigorously as cryptographic protocols. The operational challenge lies in ensuring that this structured framework remains respected even when immediate pressure exists to treat disclosure as purely a legal or competitive liability rather than a shared stewardship responsibility. What mechanisms exist to enforce the collaborative relationships outlined, and how can trust be maintained across diverse organizational cultures during high-stakes vulnerability disclosures?
