- CISA has teamed up with four global partners to release new vulnerability disclosure guidance
- The guide will help software makers build formal channels for researchers to report vulnerabilities
- The guidance requires public policies that spell out how to submit, test and track vulnerability reports
The Cybersecurity and Infrastructure Security Agency and four international cybersecurity partners have released guidance to help software manufacturers and online service providers establish coordinated vulnerability disclosure, or CVD, programs that support collaboration with security researchers.
Learn how DHS is advancing AI, cyber defense and operational capabilities to strengthen homeland security at the 2026 Homeland Security Summit on Nov. 12. Register now.
What Does the New Guidance Cover?
CISA said Thursday it collaborated with the National Security Agency, the Japan Computer Emergency Response Team Coordination Center, the Netherlands’ National Cyber Security Centre and the U.K.’s National Cyber Security Centre to develop the guidance, titled Establishing a Coordinated Vulnerability Disclosure Program to Work With Security Researchers.
The document provides a structured and transparent framework for working with security researchers who identify vulnerabilities in software, hardware and networks. The agency said organizations can use CVD programs to assess potential risks, strengthen vulnerability management processes and enhance decision-making to strengthen product security for customers.
The guidance builds on CISA’s broader efforts to strengthen vulnerability management, including its Known Exploited Vulnerabilities reporting initiative, which expanded the mechanisms available to researchers and organizations to report cyber threats.
Why Did CISA Issue the Guidance?
Chris Butera, acting executive assistant director for cybersecurity at CISA, said coordinated vulnerability disclosure is foundational to building a secure software ecosystem and that the practices outlined support the agency’s Secure by Design initiative.
“CISA encourages suppliers to establish a coordinated vulnerability disclosure program and build constructive, collaborative relationships with security researchers to enhance product security,” said Butera.
The guidance states that security researchers should have a defined, safe channel through which to disclose vulnerabilities. It provides practices for establishing a disclosure program that signals a commitment to product trustworthiness. It states that a publicly posted policy is necessary to detail how reports are submitted, what testing activities are permitted and what can be expected during the review process, including ongoing communication with researchers as the assessment moves forward.







