{"id":8788,"date":"2026-07-16T10:48:58","date_gmt":"2026-07-16T10:48:58","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8788"},"modified":"2026-07-16T10:48:58","modified_gmt":"2026-07-16T10:48:58","slug":"cisa-urges-software-vendors-to-formalize-vulnerability-disclosure-programs","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8788","title":{"rendered":"CISA urges software vendors to formalize vulnerability disclosure programs"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p class=\"wp-block-paragraph\">The Cybersecurity and Infrastructure Security Agency (CISA) and four international cybersecurity agencies have published guidance urging software manufacturers and online service providers to establish coordinated vulnerability disclosure (CVD) programs, saying structured engagement with security researchers can help improve vulnerability management and product security.<\/p>\n<p class=\"wp-block-paragraph\">Published jointly with the US National Security Agency (NSA), Japan Computer Emergency Response Team Coordination Center (JPCERT\/CC), the Netherlands\u2019 National Cyber Security Centre (NCSC-NL), and the UK\u2019s National Cyber Security Centre (NCSC-UK), the guidance, \u201cEstablishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers,\u201d outlines how organizations can build public programs for receiving, assessing, and responding to vulnerability reports involving software, hardware, and network products.<\/p>\n<p class=\"wp-block-paragraph\">According to the guidance, a well-defined CVD program enables software manufacturers and online service providers to better assess potential risk, improve vulnerability management processes, and make informed decisions that strengthen product security.<\/p>\n<p class=\"wp-block-paragraph\">CISA said the guidance supports its <a href=\"https:\/\/www.cisa.gov\/securebydesign\" target=\"_blank\" rel=\"noopener\">Secure by Design<\/a> initiative, which encourages technology providers to build more secure products and take greater responsibility for identifying and remediating vulnerabilities.<\/p>\n<p class=\"wp-block-paragraph\">\u201cCoordinated vulnerability disclosure is foundational to building a secure software ecosystem,\u201d Chris Butera, CISA\u2019s acting executive assistant director for cybersecurity, <a href=\"https:\/\/www.cisa.gov\/news-events\/news\/cisa-and-partners-publish-guidance-help-software-manufacturers-and-online-service-providers-work\" target=\"_blank\" rel=\"noopener\">said in a statement<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThe practices in this guide help protect customers, strengthen products, and support CISA\u2019s Secure by Design initiative, which encourages companies to be transparent and responsible in how they build and maintain their technology,\u201d Butera said.<\/p>\n<h2 class=\"wp-block-heading\">Building an effective disclosure program<\/h2>\n<p class=\"wp-block-paragraph\">The guidance recommends that organizations publish a clear vulnerability disclosure policy describing how researchers can report vulnerabilities, what testing activities are permitted, how reports will be handled, and what researchers should expect throughout the assessment process. CISA said maintaining communication with researchers helps keep the process transparent and builds trust between vendors and the security research community.<\/p>\n<p class=\"wp-block-paragraph\">Piyush Sharma, co-founder and CEO of cybersecurity firm Tuskira, said the guidance addresses a key operational requirement for both researchers and security teams.<\/p>\n<p class=\"wp-block-paragraph\">\u201cCISA is right to emphasize that vulnerability disclosure requires a clear process,\u201d Sharma said. \u201cResearchers need to know where to report a flaw, while security teams need defined ownership to validate, prioritize, and remediate findings.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Andrew Costis, engineering manager of the Adversary Research Team at AttackIQ, said establishing a reporting channel is only the beginning of the process.<\/p>\n<p class=\"wp-block-paragraph\">\u201cCreating a clear path for researchers to report vulnerabilities is a great first step, but the real work starts once that report lands,\u201d Costis said. \u201cSecurity teams have to understand what the weakness could give an attacker access to and how urgently it needs to be addressed.\u201d<\/p>\n<p class=\"wp-block-paragraph\">According to CISA, security researchers can help software manufacturers and online service providers identify weaknesses before they are exploited, but only if organizations provide a clear and safe mechanism for reporting vulnerabilities.<\/p>\n<h2 class=\"wp-block-heading\">Prioritizing vulnerabilities at scale<\/h2>\n<p class=\"wp-block-paragraph\">The guidance comes as AI-assisted vulnerability discovery is increasing the volume of security findings that enterprise security teams must assess and remediate, according to Sharma.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThe challenge is that AI-assisted vulnerability discovery is increasing the volume of disclosures faster than most organizations can manually assess them,\u201d he said.<\/p>\n<p class=\"wp-block-paragraph\">Sharma said organizations should avoid treating every disclosed vulnerability as equally urgent and instead determine whether a flaw creates a reachable attack path, identify exposed assets, and evaluate whether existing controls can interrupt an attack while remediation is underway.<\/p>\n<p class=\"wp-block-paragraph\">Costis echoed that view, saying vulnerability management should focus on exploitability rather than severity scores alone.<\/p>\n<p class=\"wp-block-paragraph\">\u201cVulnerabilities can\u2019t be treated as isolated findings or prioritized on severity alone,\u201d he said. \u201cTeams need to understand how a weakness connects to the rest of their environment and whether it creates a viable path to critical systems.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Where patches are unavailable, Sharma said validating compensating controls can significantly reduce enterprise risk until remediation is completed.<\/p>\n<p class=\"wp-block-paragraph\">Costis said organizations should also verify that remediation has eliminated exploitable attack paths rather than simply confirming that a vulnerability has been patched.<\/p>\n<p class=\"wp-block-paragraph\">\u201cClosing a ticket is one thing,\u201d he said. \u201cProving the attack path is broken, and the fix holds against real-world adversary behavior is another.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>The Cybersecurity and Infrastructure Security Agency (CISA) and four international cybersecurity agencies have published guidance urging software manufacturers and online service providers to establish coordinated vulnerability disclosure (CVD) programs, saying structured engagement with security researchers can help improve vulnerability management and product security. Published jointly with the US National Security Agency (NSA), Japan Computer Emergency [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":8789,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8788","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8788"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8788"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8788\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8789"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8788"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8788"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8788"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}