Vulnerability disclosure program

Implementing a vulnerability disclosure program, based on responsible disclosure, can assist an organisation to improve the security of their products and services as it provides a way for security researchers and other members of the public to responsibly notify them of vulnerabilities in a coordinated manner. Furthermore, following the verification and resolution of reported vulnerabilities, it can assist an organisation in notifying their customers of vulnerabilities that have been discovered in their products and services, and any patches, updates or vendor mitigations that should be applied.

A vulnerability disclosure program should include processes and procedures for receiving, verifying, resolving and reporting vulnerabilities disclosed by internal and external parties. In support of this, a vulnerability disclosure policy should be made publicly available that covers:

• the purpose of the vulnerability disclosure program
• types of security research that are and are not allowed
• how to report any vulnerabilities
• actions, and associated timeframes, upon notification of vulnerabilities
• expectations regarding the public disclosure of vulnerabilities
• any recognition or reward for finders of vulnerabilities.

Finally, ASD encourages security researchers and other members of the public to responsibly report vulnerabilities directly to an organisation. However, ASD recognises that this is not always practical, initial attempts at communication may be unsuccessful or the person making the report may not wish to do so directly. In such cases, vulnerabilities can be reported to ASD as an independent coordinator. Note, under ASD’s limited use obligation, information voluntarily provided to ASD about vulnerabilities cannot be used for regulatory purposes.