NTIA Releases Draft Multiparty Vulnerability Disclosure Guidelines, Policy Template

that the Forum of Incident Response and Security Teams (First) issued via NTIA include six use cases. They include a compendium of current best practices, like building and maintaining trust among parties, maintaining communication and ways to minimize stakeholders' exposure as a result of a vulnerability. Comments are due to First by Jan. 31. The early stage disclosure policy template focuses on safety-critical industries but can be used by “any organization in taking the first steps toward a disclosure policy,” said Deputy Assistant Secretary of Commerce-Communications and Information Angela Simpson in a blog post. The disclosure attitudes research report found that 92 percent of the more than 400 researchers surveyed engage in some form of coordinated vulnerability disclosure. Seventy-six percent of mature tech providers and operators have internal vulnerability handling procedures but only about 33 percent of all surveyed companies require their suppliers to have their own vulnerability handling procedures, NTIA report. The documents “will help many types of organizations better understand security disclosure, and develop their own strategies,” Simpson blogged. “NTIA will continue to work with stakeholders on outreach models and ways to educate key sectors and organizations, raise awareness of this important issue, and encourage adoption of practices that help improve security of the digital economy.”