The Cybersecurity and Infrastructure Security Agency (CISA) and four international partners have released guidance calling on software manufacturers and online service providers to formalize coordinated vulnerability disclosure (CVD) programs. The joint publication, developed with the National Security Agency (NSA), Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), the Netherlands' National Cyber Security Centre (NCSC-NL), and the UK's National Cyber Security Centre (NCSC-UK), provides a framework for organizations to build structured processes for receiving and responding to vulnerability reports from security researchers.
The guidance supports CISA's Secure by Design initiative, which pushes technology providers to take greater responsibility for product security. According to CISA, well-defined CVD programs enable vendors to better assess risk, improve vulnerability management, and make informed security decisions. The agency emphasizes that coordinated disclosure helps protect customers and strengthens products when vendors maintain transparency and accountability in how they build and maintain technology.
The guidance recommends organizations publish clear vulnerability disclosure policies that specify how researchers can report findings, what testing activities are permitted, how reports will be handled, and what researchers should expect during assessment. Organizations should maintain ongoing communication with researchers to build trust and keep the process transparent. Security experts note that establishing a reporting channel is only the first step, as teams must then validate findings, determine what access an attacker could gain, and assess urgency based on exploitability rather than severity scores alone.
The guidance arrives as AI-assisted vulnerability discovery increases the volume of security findings that organizations must evaluate. Security professionals warn that organizations cannot treat every disclosed vulnerability as equally urgent or rely solely on severity ratings. Instead, teams should determine whether a flaw creates a reachable attack path, identify exposed assets, and evaluate whether existing controls can interrupt attacks during remediation. Where patches are unavailable, validating compensating controls can significantly reduce risk until fixes are deployed.
Organizations should verify that remediation eliminates exploitable attack paths rather than simply confirming patches are applied. Security teams need to understand how vulnerabilities connect to their broader environment and whether they create viable paths to systems holding sensitive data or performing business functions. The guidance emphasizes that security researchers can help identify weaknesses before exploitation, but only if organizations provide clear and safe mechanisms for reporting vulnerabilities.
Source: https://www.csoonline.com/article/4197733/cisa-urges-software-vendors-to-formalize-vulnerability-disclosure-programs.html


