[ {"Capability ID":"CYB.060.030.100", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"I", "Business Capability Statement":"Develop, maintain and monitor a communications channel/hub/exchange for receiving reports for organizations that may not have a clear disclosure policy", "Authoritative Source":"CSF RS.AN-5"}, {"Capability ID":"CYB.060.030.101", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"I", "Business Capability Statement":"Automatically and manually ingest reports from reporters to augment situational awareness across the community", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.102", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"I", "Business Capability Statement":"Ingest sanitized (i.e. un attributed and scrubbed of sensitive information) status reports from organizations (agencies) to augment situational awareness across the community", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.200", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Aggregate and analyze statistical data from received reports to track status and discover opportunities for improvement.", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.201", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Generate notices and reports from inputs to uniformly communicate metrics.", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.202", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Identify and address persistent and common organization (agency) challenges related to vulnerability reporting and remediation", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.203", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Maintain inventory of organizations (agencies) participating in community wide vulnerability information sharing", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.204", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Maintain communication with points of contact at organizations (agencies)", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.205", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Develop/maintain policy on vulnerability disclosure", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.206", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Measure vulnerability impact uniformly across the community for use in risk determination", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.300", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Assist non-participating community organizations with developing and maintaining vulnerability disclosure policies and programs", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.301", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Produce sanitized (i.e. un attributed and scrubbed of sensitive information) periodic community-wide reports to report vulnerability disclosure metrics", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.302", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Produce vulnerability notices to potentially affected organizations within the community", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.303", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Produce vulnerability notices to potentially affected product vendors to aid in remediation", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.304", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Publish Coordinated Vulnerability Disclosure Policy sample language for use in the community", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.305", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Publish policy guidance to address potential legal concerns in the community", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.306", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Publish standardized metrics for organization use in reporting to the community", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.308", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Ensure that continuous monitoring is able to alert on activities that do not match organization vulnerability disclosure policy", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.030.309", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Update Privacy policy to ensure privacy protections are in place for both organization data and the researcher", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"", "Function":"", "Activity Name":"", "(I)input/(P)process/(O)output":"", "Business Capability Statement":"", "Authoritative Source":""}, {"Capability ID":"CYB.060.031.100", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"I", "Business Capability Statement":"Automatically and manually ingest reports from reporters to include in vulnerability management processes", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.200", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Determine severity and urgency for risk determination and remediation prioritization and update vulnerability documentation accordingly", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.201", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Discover or develop (mitigation, remediation, or acceptance) plan", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.202", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Ensure change management process allows for escalation and off-schedule remediation.", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.203", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Ensure that vulnerability research activities are properly contained to prevent disclosure of sensitive information.", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.204", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Implement remediation plan, communicate status", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.205", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Ensure that the change management process allows for scheduling remediation according to severity and urgency", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.206", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Update incident response plans and exercises to include \"malicious reporter\" and \"good faith\" scenarios", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.207", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Update Vulnerability Handling policy/procedures to include reporting, triage, and prioritization", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.208", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Update Vulnerability Management policy to include processing of externally reported vulnerabilities", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.031.300", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Provide notice to system owners/administrators of vulnerability disclosure policies and activities", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"", "Function":"", "Activity Name":"", "(I)input/(P)process/(O)output":"", "Business Capability Statement":"", "Authoritative Source":""}, {"Capability ID":"CYB.060.032.100", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"I", "Business Capability Statement":"Automatically and manually ingest reports from reporters to include in vulnerability management processes", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.200", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Ensure communication with reporter throughout the vulnerability management process", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.201", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Periodically collect and review vulnerability disclosure metrics for vulnerability management process improvement", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.202", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Consider developing and implmenting a Bug Bounty Program", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.203", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Verify report triage (false positive filtering)", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.204", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Perform a base level of validation of the submitted report (“triage”)", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.205", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Screen obviously junk (SPAM) reports", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.206", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Support for monetary awards funded by individual organization (“bug bounty”)", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.207", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Track and record metrics, within the organization, throughout the report and remediation lifecycle", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.208", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Verify report activity matches organization vulnerability disclosure policy and update policy accordingly", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.209", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"P", "Business Capability Statement":"Allow for reporters to submit reports anonymously", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.300", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Generate sanitized (i.e. un attributed and scrubbed of sensitive information) status report to community (CISA for federal government)", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.301", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Generate working acknowledgements to vulnerability reporter", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.302", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Publish vulnerability disclosure policy on internet-facing web domains, applications, and services", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.303", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Allow for ad-hoc reporting and/or expose API of report lifecycle metrics", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.304", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Allow for customizable metric threshold alerts to the organization", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.305", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Produce \"Top hackers\" report", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.306", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Produce periodic roll-up reports of community-wide metrics", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.307", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Produce sanitized (i.e. un attributed and scrubbed of sensitive information) status reports of individual submissions to product vendors and community (CISA)", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.308", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Provide user interface for managing communications between reporters, organization, and community (CISA)", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.309", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Route unassigned reports to community (CISA) for external assignment", "Authoritative Source":"CSF PR.IP-12"}, {"Capability ID":"CYB.060.032.310", "Function":"CYB.060 – PROTECT - Information Protection Policy", "Activity Name":"CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output":"O", "Business Capability Statement":"Implement/maintain researcher recognition program", "Authoritative Source":"CSF PR.IP-12"} ]