Sorry, you need to enable JavaScript to visit this website.
Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Multistakeholder Process: Cybersecurity Vulnerabilities

December 15, 2016

This web page provides details on the NTIA-convened multistakeholder process concerning collaboration between security researchers and software and system developers and owners to address security vulnerability disclosure.

Stakeholder documents

On December 15, 2016, stakeholder participants released a set of initial findings, recommendations and resources. NTIA will continue to work with stakeholders on further developments and outreach.

Upcoming meeting

Further activity for this multistakeholder process will be announced in early 2017.

Past Meetings

November 7, 2016 in Washington, D.C.

These draft documents were written by stakeholder working groups. These are not final documents, and are intended for discussion.

April 8, 2016 

December 2, 2015

September 29, 2015

Background:

On March 19, 2015, the National Telecommunications and Information Administration, working with the Department of Commerce’s Internet Policy Task Force (IPTF), issued a Request for Comment to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” Individuals and entities from across the commercial, academic, and civil society sectors filed comments. After reviewing these comments, NTIA announced that the first topic to be addressed would be collaboration on vulnerability research disclosure.

The goal of this process will be to develop a broad, shared understanding of the overlapping interests between security researchers and the vendors and owners of products discovered to be vulnerable, and to establish a consensus about voluntary principles to promote better collaboration.  The question of how vulnerabilities can and should be disclosed will be a critical part of the discussion, as will how vendors receive and respond to this information. However, disclosure is only one aspect of successful collaboration.

Additional Information:

The Federal Register Notice announcing the first meeting and providing further background and detail:

Deputy Assistant Secretary Angela Simpson’s blog post announcing the initiative on Enhancing the Digital Economy Through Collaboration on Vulnerability Research Disclosure.

March 19, 2015 Request for Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem

Stakeholder Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem

Department of Commerce Green Paper “Cybersecurity, Innovation, and the Internet Economy” (July, 2011)