Coordinated Vulnerability Disclosure Program

CISA's Coordinate Vulnerability Disclosure (CVD) program coordinates the remediation and public disclosure of newly identified cybersecurity vulnerabilities in products and services with the affected vendor(s). This includes new vulnerabilities in industrial control systems (ICS), Internet of Things (IoT), and medical devices, as well as traditional information technology (IT) vulnerabilities. The goal of CISA's CVD program is to ensure that CISA, the affected vendor(s) and/or service provider(s), and the vulnerability reporter all disclose simultaneously, to ensure that users and administrators receive clear and actionable information in a timely manner.

CISA's Role:

The goal of the CVD program is to ensure that CISA, the affected vendor(s) and/or service provider(s), and the vulnerability reporter all disclose simultaneously, to ensure that users and administrators receive clear and actionable information in a timely manner.

Process

The CISA coordinated vulnerability disclosure process involves five basic steps:

1. Collection: CISA collects vulnerability reports in three ways: CISA vulnerability analysis, monitoring public sources of vulnerability information, and direct reports of vulnerabilities to CISA. After receiving a report, CISA performs an initial analysis to assess a vulnerability's presence and compare with existing reports to identify duplicates. CISA then catalogs the vulnerability report, including all information that is known at that point.

2. Analysis: Once the vulnerability reports are catalogued, vendor(s) and CISA analysts work to understand the vulnerabilities by examining the technical issue and the potential risk the vulnerability represents.

3. Mitigation Coordination: After analyzing a vulnerability, CISA will continue to work with the affected vendor(s) for mitigation development and the issuance of patches or updates.

4. Application of Mitigation: When possible and where necessary, CISA may work with vendor(s) to facilitate sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to public disclosure.

5. Disclosure: In coordination with the source of the vulnerability report and the affected vendor(s), CISA will take appropriate steps to notify users about the vulnerability via multiple channels. CISA strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation for asset owners and operators. CISA will make references to available related information and correct misinformation where necessary.

Disclosure Timeline

Time frames for mitigation development and the type and schedule of disclosure may be affected by various factors. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to established standards may result in changes to the disclosure timeline. Other factors include, but are not limited to:

• whether the vulnerability has already been publicly disclosed, i.e. published by a researcher;
• potential impact to critical infrastructure, national security, or public health and safety;
• the availability of effective mitigations;
• vendor responsiveness and feasibility of developing an update or patch;
• vendor estimate of time required for customers to obtain, test and apply the patch.

The name and contact information of the vulnerability reporter will be provided to the affected vendors unless otherwise requested by the vulnerability reporter. CISA will advise the vulnerability reporter of significant changes in the status of any vulnerability reported, without revealing information provided in confidence by the affected vendor(s) or service provider(s).

Affected vendors will be apprised of any publication plans and alternate publication schedules will be negotiated with affected vendors as required.

In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for remediation, CISA may disclose vulnerabilities as early as 45 days after the initial attempt to contact the vendor is made regardless of the availability of a patch or update.

CVD and the Vulnerability Equities Process (VEP)

While CISA participates in the interagency VEP, vulnerability reports collected by CISA under this policy are not subject to adjudication by the VEP participants, per Section 5.4 of the VEP Charter.