{ "Business-Standards": "Cybersecurity Standards", "Sub-section":"Coordinated Vulnerability Disclosure", "Business Lifecycle": [{ "cyb-cvd-060": [{"Identifier": "CYB.060.030","Activity": "Coordinated Vulnerability Disclosure","Description": "Gathering information from vulnerability finders, coordinating the sharing of that information between relevant stakeholders, and disclosing the existence of software vulnerabilities and their mitigations to various stakeholders including the public in order to reduce an adversary's advantage while an information security vulnerability is being mitigated."}] }], "Business Capabilities": [{ "Capability ID": "CYB.060.030.100", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Develop, maintain and monitor a communications channel/hub/exchange for receiving reports for organizations that may not have a clear disclosure policy", "Authoritative Source": "CSF RS.AN-5" }, { "Capability ID": "CYB.060.030.101", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Automatically and manually ingest reports from reporters to augment situational awareness across the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.102", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Ingest sanitized (i.e. un attributed and scrubbed of sensitive information) status reports from organizations (agencies) to augment situational awareness across the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.200", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Aggregate and analyze statistical data from received reports to track status and discover opportunities for improvement.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.201", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Generate notices and reports from inputs to uniformly communicate metrics.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.202", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Identify and address persistent and common organization (agency) challenges related to vulnerability reporting and remediation", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.203", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Maintain inventory of organizations (agencies) participating in community wide vulnerability information sharing", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.204", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Maintain communication with points of contact at organizations (agencies)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.205", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Develop/maintain policy on vulnerability disclosure", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.206", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Measure vulnerability impact uniformly across the community for use in risk determination", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.300", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Assist non-participating community organizations with developing and maintaining vulnerability disclosure policies and programs", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.301", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce sanitized (i.e. un attributed and scrubbed of sensitive information) periodic community-wide reports to report vulnerability disclosure metrics", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.302", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce vulnerability notices to potentially affected organizations within the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.303", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce vulnerability notices to potentially affected product vendors to aid in remediation", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.304", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish Coordinated Vulnerability Disclosure Policy sample language for use in the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.305", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish policy guidance to address potential legal concerns in the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.306", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish standardized metrics for organization use in reporting to the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.308", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Ensure that continuous monitoring is able to alert on activities that do not match organization vulnerability disclosure policy", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.309", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Update Privacy policy to ensure privacy protections are in place for both organization data and the researcher", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "", "Function": "", "Activity Name": "", "(I)input/(P)process/(O)output": "", "Business Capability Statement": "", "Authoritative Source": "" }, { "Capability ID": "CYB.060.031.100", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Automatically and manually ingest reports from reporters to include in vulnerability management processes", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.200", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Determine severity and urgency for risk determination and remediation prioritization and update vulnerability documentation accordingly", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.201", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Discover or develop (mitigation, remediation, or acceptance) plan", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.202", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure change management process allows for escalation and off-schedule remediation.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.203", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure that vulnerability research activities are properly contained to prevent disclosure of sensitive information.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.204", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Implement remediation plan, communicate status", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.205", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure that the change management process allows for scheduling remediation according to severity and urgency", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.206", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Update incident response plans and exercises to include \"malicious reporter\" and \"good faith\" scenarios", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.207", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Update Vulnerability Handling policy/procedures to include reporting, triage, and prioritization", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.208", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Update Vulnerability Management policy to include processing of externally reported vulnerabilities", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.300", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Provide notice to system owners/administrators of vulnerability disclosure policies and activities", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "", "Function": "", "Activity Name": "", "(I)input/(P)process/(O)output": "", "Business Capability Statement": "", "Authoritative Source": "" }, { "Capability ID": "CYB.060.032.100", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Automatically and manually ingest reports from reporters to include in vulnerability management processes", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.200", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure communication with reporter throughout the vulnerability management process", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.201", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Periodically collect and review vulnerability disclosure metrics for vulnerability management process improvement", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.202", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Consider developing and implmenting a Bug Bounty Program", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.203", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Verify report triage (false positive filtering)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.204", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Perform a base level of validation of the submitted report (“triage”)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.205", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Screen obviously junk (SPAM) reports", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.206", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Support for monetary awards funded by individual organization (“bug bounty”)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.207", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Track and record metrics, within the organization, throughout the report and remediation lifecycle", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.208", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Verify report activity matches organization vulnerability disclosure policy and update policy accordingly", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.209", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Allow for reporters to submit reports anonymously", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.300", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Generate sanitized (i.e. un attributed and scrubbed of sensitive information) status report to community (CISA for federal government)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.301", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Generate working acknowledgements to vulnerability reporter", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.302", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish vulnerability disclosure policy on internet-facing web domains, applications, and services", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.303", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Allow for ad-hoc reporting and/or expose API of report lifecycle metrics", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.304", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Allow for customizable metric threshold alerts to the organization", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.305", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce \"Top hackers\" report", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.306", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce periodic roll-up reports of community-wide metrics", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.307", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce sanitized (i.e. un attributed and scrubbed of sensitive information) status reports of individual submissions to product vendors and community (CISA)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.308", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Provide user interface for managing communications between reporters, organization, and community (CISA)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.309", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Route unassigned reports to community (CISA) for external assignment", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.310", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Implement/maintain researcher recognition program", "Authoritative Source": "CSF PR.IP-12" } ], "Business Use Cases": "Business Standards Under Development", "Standard Data Elements": "Business Standards Under Development", "Performance Metrics": "Business Standards Under Development" }