Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This document recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.

Executive Summary 1

1. U.S. Government Vulnerability Disclosure 2

1.1. Usage of Document Terminology 5

2. Federal Vulnerability Disclosure Coordination Body 6

2.1. Preparation 7

      2.1.1. Create Source Vulnerability Report Receipt Capability 7

      2.1.2. Determine Scope and Obtain Contacts 8

      2.1.3. Develop Technical Analysis Capability 9

2.2. Receive Source Vulnerability Report 9

2.3. Triage and Prioritize Source Vulnerability Report 9

2.4. Determine the Reported Vulnerable System 10

2.5. Identify the Reported Vulnerable Software 10

2.6.Verify and Remediate Vulnerability 10

2.7. Determine Whether to Publish an Advisory 11

      2.7.1. Determine Whether Public Disclosure is Warranted 11

      2.7.2. Produce Advisory 12

      2.7.3. Government Advisory Services 13

2.8. Stakeholders in Federal Vulnerability Disclosure Coordination 14

2.9. Technical Approaches and Resources 14

3. Vulnerability Disclosure Program Offices 16

3.1. Vulnerability Disclosure Program Office Description 16

3.2. Vulnerability Disclosure Program Office Structural Requirements 16

      3.2.1. Development of Source Vulnerability Report Acceptance Policies 17

      3.2.2. Monitoring of Source Vulnerability Reports 17

      3.2.3. Processing and Resolution of Source Vulnerability Reports 18

      3.2.4. Development of Vulnerability Disclosure Handling Procedures 18

      3.2.5. Vulnerability Disclosure Program Office Operational Duties 18

3.3. Management Considerations 22

      3.3.1. Leadership Support 22

      3.3.2. Staffing Needs 22

      3.3.3. Leveraging Existing Processes 22

      3.3.4. Integration of Contractor Support into the VDPO 22

      3.3.5. Customer Support and Public Relations 22

References 24

Appendix A. List of Symbols, Abbreviations, and Acronyms 26

Appendix B. Glossary 27

Appendix C. Examples and Resources for Federal Vulnerability Disclosure Programs and Policies 28

中国计量科学院文献馆