National Infrastructure Advisory Council Vulnerability Disclosure Framework



About This Report

From the Executive Summary:

The goal of this report is to achieve a common understanding and develop standard practices for disclosing and managing vulnerabilities in networked information systems. Over the last 20 years, businesses and governments have increased their reliance on networks, applications, and the Internet for core government and business operations. Vulnerabilities in technology vital to interconnected, critical infrastructure operations represent a threat to both national and economic security. Managing these vulnerabilities has become a critical component of customer care and protecting citizens. There are no standards or broad agreements among stakeholders regarding how, when, and to whom to disclose vulnerabilities.

The following seven recommendations are made to the President to direct appropriate Departments and Agencies involved in any aspect of managing software vulnerabilities.


I was invited to join the working group developing these guidelines. I couldn’t resist.