This web page provides details on the NTIA-convened multistakeholder process concerning collaboration between security researchers and software and system developers and owners to address security vulnerability disclosure.
- Deputy Assistant Secretary Angela Simpson's blog post announcing the release of these documents
- Vulnerability Disclosure Attitudes and Actions: A Research Report
- Coordinated Vulnerability Disclosure “Early Stage” Template
- Guidelines and Practices for Multi-party Vulnerability Coordination
On December 15, 2016, stakeholder participants released a set of initial findings, recommendations and resources. NTIA will continue to work with stakeholders on further developments and outreach.
Further activity for this multistakeholder process will be announced in early 2017.
November 7, 2016 in Washington, D.C.
These draft documents were written by stakeholder working groups. These are not final documents, and are intended for discussion.
- Multi-party Disclosure Working Group: Guidelines and Practices for Multi-Party Vulnerability Coordination
- Safety Working Group: Coordinated Vulnerability Disclosure “Early Stage” Template and Discussion
April 8, 2016
December 2, 2015
September 29, 2015
- Revised Agenda as of September 29, 2015
- Notes from the “Key issues” stakeholder discussion at September 29, 2015 meeting
On March 19, 2015, the National Telecommunications and Information Administration, working with the Department of Commerce’s Internet Policy Task Force (IPTF), issued a Request for Comment to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” Individuals and entities from across the commercial, academic, and civil society sectors filed comments. After reviewing these comments, NTIA announced that the first topic to be addressed would be collaboration on vulnerability research disclosure.
The goal of this process will be to develop a broad, shared understanding of the overlapping interests between security researchers and the vendors and owners of products discovered to be vulnerable, and to establish a consensus about voluntary principles to promote better collaboration. The question of how vulnerabilities can and should be disclosed will be a critical part of the discussion, as will how vendors receive and respond to this information. However, disclosure is only one aspect of successful collaboration.
The Federal Register Notice announcing the first meeting and providing further background and detail:
Deputy Assistant Secretary Angela Simpson’s blog post announcing the initiative on Enhancing the Digital Economy Through Collaboration on Vulnerability Research Disclosure.
March 19, 2015 Request for Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem
Stakeholder Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem
Department of Commerce Green Paper “Cybersecurity, Innovation, and the Internet Economy” (July, 2011)