Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers
CISA and NSA release guidance for coordinated vulnerability disclosure programs.
Summary
CISA, NSA, and international partners have released joint guidance on establishing Coordinated Vulnerability Disclosure (CVD) programs. The guidance outlines best practices for software manufacturers and online service providers to work with external security researchers, including clear policies for reporting, triaging, and remediating vulnerabilities. It also suggests using third-party intermediaries and highlights the benefits of robust CVD programs for enhancing product security and customer protection.
Full text
PUBLICATION Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers Publish DateJuly 15, 2026 Establishing a Coordinated Vulnerability Disclosure Program to Work With Securi… Related topics: Cyber Threats and Response Developed by CISA, the National Security Agency (NSA) and international partners, this joint guidance contains best practices for software manufacturers and online service providers to design and implement a coordinated vulnerability disclosure (CVD) program for working with external security researchers that includes a clear vulnerability disclosure policy (VDP) and process for triaging, remediating and assigning Common Vulnerabilities and Exposures (CVE) identifiers to reported vulnerabilities. The guidance also provides considerations for leveraging third-party intermediaries, like CISA or other national computer security incident response teams, to substitute or supplement a CVD program. By implementing a robust CVD program aligned with this guidance, organizations can work transparently and collaboratively with security researchers to remediate vulnerabilities, build constructive relationships, enhance product security while improving vulnerability management processes, and demonstrate their dedication to protecting customers. Tags Audience: Federal Government, Industry, State, Local, Tribal, and Territorial Government Language: English Programs: Coordinated Vulnerability Disclosure Program Topics: Cyber Threats and Response Related Resources Stakeholder-Specific Vulnerability Categorization (SSVC) Jun 24, 2026 Publication Using SASE in a Modern TIC 3.0 Solution Sep 01, 2019 Publication Information Sharing Architecture (ISA) Access Control Specification (ACS) v3.0a Oct 30, 2025 Publication Microsoft Exchange Server Security Best Practices