Vulnerabilities identified in applications are publicly disclosed (where appropriate to do so) by software developers in a timely manner.
Establish a central, organization-wide Product Security Incident Response Team (PSIRT) to manage vulnerability disclosures and remediation efforts. Make PSIRT contact information accessible to external researchers, such as through a dedicated webpage, to encourage responsible vulnerability reporting. The PSIRT team should collaborate with researchers to acknowledge receipt of reports, gather essential details, and prioritize remediation of reported vulnerabilities. Ensure a responsible disclosure process is followed for all vulnerabilities, allowing for public disclosure when appropriate to protect users and promote transparency. This approach fosters trust, supports security improvements, and enables the organization to address vulnerabilities in a timely, coordinated manner.
To mitigate vulinerability risks, organizations should make every effort to ensure that publicly known or easily identified vulnerabilities are not in any software provided to customers. Additionally, testing for, understanding, and removing vulnerabilities in software is required to help prevent supplying code that can be readily compromised before delivering software to customers.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-04-05-01-01-01 | Establish a central product security incident response team (PSIRT) | Create a company-wide PSIRT with public-facing information (e.g., a webpage) to facilitate external vulnerability reporting. The PSIRT team should work with external researchers to acknowledge, triage, and resolve reported vulnerabilities, ensuring responsible disclosure. | Preparation | Security Teams |
| SSS-04-05-01-01-02 | Define and implement vulnerability assessment processes | Create a vulnerability assessment team consisting of architects, developers, and security experts. Establish processes for analyzing software capabilities and components, including known environment analysis, fuzz testing, and the use of tools like binary composition analysis for vulnerability detection. | Development | Security Analysts |
| SSS-04-05-01-01-03 | Deploy state-of-the-art evaluation tools | Invest in static and dynamic analysis tools to detect vulnerabilities throughout the software lifecycle. Ensure these tools are kept updated according to supplier documentation to maintain their effectiveness against evolving threats. | Development | QA and Testing Teams |
| SSS-04-05-01-01-04 | Track, remediate, and document vulnerabilities | Track all identified vulnerabilities as product defects in a secure defect tracking tool. Include CVSS scores, impact assessments, and other supporting data. Ensure vulnerabilities are remediated promptly, and document all findings for audits and continuous improvement. | Deployment | Compliance Teams |
| SSS-04-05-01-01-05 | Publicly disclose vulnerabilities responsibly | For vulnerabilities that warrant public disclosure, communicate them in a timely manner through appropriate channels, ensuring customers and stakeholders are informed about risks and mitigations. Use the SBOM to evaluate the impact of third-party and open-source components on vulnerabilities. | Post-deployment | PSIRT Team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1908) CISA Securing the Software Supply Chain Part2 (2.4) CISA (2.4.1 Identify, Analyze, and Remediate Vulnerabilities on a Continuous Basis-- Recommended mitigations- 1.) |