Mechanisms are established and maintained to receive and respond to reports from the public or external parties of potential vulnerabilities related to the organisation’s IT and OT assets, such as public-facing websites or mobile applications
Context and Guidance: In the event that an individual external to the organisation identifies a vulnerability in an IT or OT asset within the organisation, it would be beneficial for the organisation to be notified. Development of a process that integrates with existing vulnerability management activities would better enable the cybersecurity program in the identification of vulnerabilities. This mechanism should enable the organisation to receive communications and take necessary action (e.g., analysis and testing to verify a reported vulnerability exists). The implemented mechanism should complement current vulnerability management activities and organisations should consider if the mechanism would necessitate additional resources. For example, if a bug in a website allows an attacker to access unauthorised information, the individual who discovered the vulnerability sends an email to a specified email address with details about the vulnerability. This capability may be implemented in a variety of ways, such as setting up a web form, a dedicated email address, or through a third-party service.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THREAT-1b, THREAT-1i, THREAT-1m.