Draft of ETSI Coordinated vulnerability disclosure guide available for public comments

Sophia Antipolis, 24 August 2021

ETSI will soon release a Guide to Coordinated Vulnerability Disclosure. Before publication, it made the draft publicly available for comments. Please send your feedback by 15 September to the technical committee CYBER at cybersupport@etsi.org 

Security vulnerabilities are frequently discovered and, when they are, the finders of these vulnerabilities want to be able to report them directly to the organisation who can fix the issue. These vulnerability reports provide an organization with valuable information, which it can use to improve the security of its products and services. It is therefore in the best interest of an organisation to encourage vulnerability disclosure.

Having a clearly sign-posted disclosure process demonstrates that an organization takes security seriously. By providing such a process, organisations receive the information to address the vulnerability and to reduce the risk of compromise.

This process also reduces the potential for reputational damage; by providing a way to report, and a defined policy of how the organisation will respond, the vulnerability is responsibly managed and not publicly disclosed until it is fixed.

The technical report targets companies and organizations of all sizes who want to implement a vulnerability disclosure process. It focuses on the essential steps, contains an example vulnerability disclosure policy, a defined triage process and generic advice on how to respond to and manage a vulnerability disclosure.

Please provide your comments by 15 September at cybersupport@etsi.org 

The report is available at https://tinyurl.com/wrdrr8y5