Resources and Standards

Here we have collected a list of resources and standards that are relevant to the practice and process of Coordinated Vulnerability Disclosure (CVD). This list is by no means exhaustive, but it should provide a good starting point for those interested in learning more about CVD.

ISO Standards

• ISO/IEC 30111:2019 Information technology -- Security techniques -- Vulnerability handling processes
• ISO/IEC 29147:2018 Information technology -- Security techniques -- Vulnerability disclosure
• ISO/IEC TR 5895:2022 Cybersecurity Multi-party coordinated vulnerability disclosure and handling

FIRST Resources

• Traffic Light Protocol (TLP)
• Common Vulnerability Scoring System (CVSS)
• Vulnerability Coordination Special Interest Group
• Ethics Special Interest Group
• PSIRT Services Framework
• CSIRT Services Framework

OASIS Resources

• Common Security Advisory Framework (CSAF)

NIST Resources

• National Vulnerability Database (NVD)
• Common Platform Enumeration (CPE)
• NIST SP 800-161 Rev. 1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

CERT Resources

• Stakeholder-Specific Vulnerability Categorization (SSVC): A framework for prioritizing vulnerabilities based on stakeholder needs
• Vultron: A protocol for Multi-Party Vulnerability Coordination
• CERT Resilience Management Model (CERT-RMM)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
• Vulnerability Disclosure Policy Templates
• Vulnerability INformation and Coordination Environment (VINCE)

CISA Resources

• Software Bill of Materials (SBOM)
• Vulnerability Disclosure Policy (VDP) Platform
• Vulnerability Disclosure Policy Template