Adopt a coordinated vulnerability disclosure policy

The adoption of coordinated vulnerability disclosure (CVD) policies is essential for the cybersecurity planning of any technology company today. This includes manufacturers and vendors responsible for mass market consumer internet-of-things (IoT) devices, companies that may not have previously thought of themselves as “technology” companies in the traditional sense. Simply put, these policies create a process by which security researchers and others outside a company can safely report vulnerabilities they discover in the hardware or software of a product of that company, which might leave it vulnerable to attack. Such security researchers need to have confidence that a responsible process exists for them to report vulnerabilities without fear of reprisal, and also that any vulnerability they report will be investigated addressed in a timely fashion to keep users safe.

While CVD policies have become increasingly common in traditional tech spaces, it is critical that they are also widely embraced by IoT device manufacturers and vendors, given how ubiquitous connected consumer products are becoming. These CVD policies are not one-size-fits-all and will vary based on the nature of a given company, their corporate structure, and the products they produce, however, the Cybersecurity Tech Accord has written at length about the topic in the past to provide high-level guidance. In addition, more than 100 of our signatory companies have adopted and published CVD policies to serve as a plethora of examples for other companies exploring how to adopt such policies themselves.

Guidance materials on CVD policies

GFCE Global Good Practices Coordinated Vulnerability Disclosure (CVD) – Global Forum on Cyber Expertise (GFCE)

ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure – International Standards Organization (ISO)

The CERT Guide to Coordinated Vulnerability Disclosure – Software Engineering Institute, Carnegie Mellon University

CVD policy examples from Cybersecurity Tech Accord signatories