The number of manufacturers in cyber safety industries who have coordinated vulnerability disclosure programs is quickly growing. We encourage more engagement between manufacturers and researchers, along the lines of our Position on Disclosure.
Third-Party Vulnerability Coordinators and Other Disclosure Resources
CERT/CC – Part of the a non-profit Software Engineering Institute (SEI).
FDA – The US regulator for medical devices has asked researchers to reach out by email with questions or issues AskMedCyberWorkshop@fda.hhs.gov
– Email common addresses, such as security@, psirt@, safety@, productsecurity@, etc.
– See if anyone in your network has contacts at the company, without inadvertently disclosing the issues.
Resources for Companies
– The US Department of Commerce, National Telecommunications and Information Administration (NTIA) partnered with security researchers, industry, and others in creating a template and guidance document for vulnerability disclosure in safety critical systems.
– ISO/IEC 29147 Standard for Vulnerability Disclosure (free download)
– ISO/IEC 30111 Standard for Vulnerability Handling Processes
– If you know of other public coordinated vulnerability disclosure policies or resources, we ask that you let us know. info [at] iamthecavalry.org