Resources and Standards
Here we have collected a list of resources and standards that are relevant to the practice and process of Coordinated Vulnerability Disclosure (CVD). This list is by no means exhaustive, but it should provide a good starting point for those interested in learning more about CVD.
ISO Standards
- ISO/IEC 30111:2019 Information technology -- Security techniques -- Vulnerability handling processes
- ISO/IEC 29147:2018 Information technology -- Security techniques -- Vulnerability disclosure
- ISO/IEC TR 5895:2022 Cybersecurity Multi-party coordinated vulnerability disclosure and handling
FIRST Resources
- Traffic Light Protocol (TLP)
- Common Vulnerability Scoring System (CVSS)
- Vulnerability Coordination Special Interest Group
- Ethics Special Interest Group
- PSIRT Services Framework
- CSIRT Services Framework
OASIS Resources
NIST Resources
- National Vulnerability Database (NVD)
- Common Platform Enumeration (CPE)
- NIST SP 800-161 Rev. 1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
CERT Resources
- Stakeholder-Specific Vulnerability Categorization (SSVC): A framework for prioritizing vulnerabilities based on stakeholder needs
- Vultron: A protocol for Multi-Party Vulnerability Coordination
- CERT Resilience Management Model (CERT-RMM)
- Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
- Vulnerability Disclosure Policy Templates
- Vulnerability INformation and Coordination Environment (VINCE)