Stakeholders involved in NTIA’s cybersecurity multistakeholder process to promote collaboration on vulnerability research disclosure today are releasing initial findings, recommendations, and resources that they hope will enhance cooperation and lead to a more secure digital ecosystem. The three stakeholder-drafted reports reflect the experience and wisdom of many of the key experts in the field, including active security researchers, experienced software companies, security companies, academics, and civil society advocates, as well as industries new to the issue.
Vulnerability disclosure has long been an open, important issue in cybersecurity. Companies need a strategy to deal with flawed software, systems, and configurations -- especially when the issues are first discovered by a third party. Without a strategy, for example, companies sometimes choose to threaten the third party with legal action rather than working together to fix the vulnerability. This need is heightened as more and more organizations become part of the digital economy.
A diverse set of stakeholders participated in this process for more than a year, attending four in-person meetings across the country, and participating in countless conference calls and drafting sessions. On behalf of NTIA, I want to thank them for their hard work and dedication to seeking consensus and increased collaboration on these important cybersecurity issues.