Vulnerability Disclosure Policy Templates
In recent years the CERT/CC has advised a number of organizations on their vulnerability disclosure policies. This section contains a collection of resources intended for use in constructing a vulnerability disclosure policy. Here we are attempting to capture common verbiage in order to help others develop or improve their own policies. We've taken these items from a variety of vulnerability disclosure policies including our own, generalized them, organized them by topic, and assembled them into this collection.
This collection is a general set of templates from which you can derive and spawn a disclosure policy for an organization.
How to Use This Collection
This collection of example policy statements is meant to be remixed and adapted for different organizations and contexts. It is unlikely that any single organization would choose to adopt all of these items wholesale without some modification.
-
We have compiled this style guide to ensure our template statements can be used to create a policy that is clear, consistent, and easy to read. We also think it's likely to be useful when constructing your policy too.
-
Setting Expectations for Reporters
This collection of policy statement templates describe expectations for reporters participating in a vulnerability disclosure program.
-
Setting Expectations for Receivers
This collection of policy statement templates describe expectations for organizations receiving vulnerability reports.
How To Use These Templates
Organizations will likely find that some expectations do not apply to their situation based on the kind of stakeholder they are. In particular we anticipate that product vendors, service providers, and coordinators will have related but distinct needs. Inclusion or exclusion of items from these templates into your organization's policy should be based on which combination of stakeholder roles you expect to play.
Here's a checklist of tasks you should complete in order to make use of these templates.
- Review the content of the Disclosure Policy Style Guide.
- Review the content of the Reporters and Receivers files.
- Select the policy expectation items you want to use.
- Adjust the recommendation strength (e.g., change some of the SHOULDs to MUSTs or MAYs to SHOULD NOTs etc.).
- Adjust the wording of the items to fit your organization's style or needs.
- Replace any KEYWORDS with an appropriate substitution (e.g., "45 days"
instead of
SLC
"). - Construct a single policy document from the collected items.
- Add any needed introduction, boilerplate, or legal info to the document.
- Review the entire document for internal consistency and fix any contradictions.
- Review the document for external consistency with other organization policies, applicable laws, regulations, etc.
- Get approval for the policy and to publish the document from necessary decision makers
- Establish sufficient operational capability in order to provide the service(s) the policy commits you to offer.
- Publish the policy
Disclaimer
We are not lawyers, and this is not legal advice. You are encouraged to consult your own legal counsel in the process of creating your disclosure policy.