[{ "Capability ID": "CYB.060.030.100", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Develop, maintain and monitor a communications channel/hub/exchange for receiving reports for organizations that may not have a clear disclosure policy", "Authoritative Source": "CSF RS.AN-5" }, { "Capability ID": "CYB.060.030.101", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Automatically and manually ingest reports from reporters to augment situational awareness across the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.102", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Ingest sanitized (i.e. un attributed and scrubbed of sensitive information) status reports from organizations (agencies) to augment situational awareness across the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.200", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Aggregate and analyze statistical data from received reports to track status and discover opportunities for improvement.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.201", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Generate notices and reports from inputs to uniformly communicate metrics.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.202", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Identify and address persistent and common organization (agency) challenges related to vulnerability reporting and remediation", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.203", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Maintain inventory of organizations (agencies) participating in community wide vulnerability information sharing", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.204", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Maintain communication with points of contact at organizations (agencies)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.205", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Develop/maintain policy on vulnerability disclosure", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.206", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Measure vulnerability impact uniformly across the community for use in risk determination", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.300", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Assist non-participating community organizations with developing and maintaining vulnerability disclosure policies and programs", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.301", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce sanitized (i.e. un attributed and scrubbed of sensitive information) periodic community-wide reports to report vulnerability disclosure metrics", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.302", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce vulnerability notices to potentially affected organizations within the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.303", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce vulnerability notices to potentially affected product vendors to aid in remediation", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.304", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish Coordinated Vulnerability Disclosure Policy sample language for use in the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.305", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish policy guidance to address potential legal concerns in the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.306", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish standardized metrics for organization use in reporting to the community", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.308", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Ensure that continuous monitoring is able to alert on activities that do not match organization vulnerability disclosure policy", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.030.309", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.030 – Manage Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Update Privacy policy to ensure privacy protections are in place for both organization data and the researcher", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "", "Function": "", "Activity Name": "", "(I)input/(P)process/(O)output": "", "Business Capability Statement": "", "Authoritative Source": "" }, { "Capability ID": "CYB.060.031.100", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Automatically and manually ingest reports from reporters to include in vulnerability management processes", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.200", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Determine severity and urgency for risk determination and remediation prioritization and update vulnerability documentation accordingly", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.201", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Discover or develop (mitigation, remediation, or acceptance) plan", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.202", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure change management process allows for escalation and off-schedule remediation.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.203", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure that vulnerability research activities are properly contained to prevent disclosure of sensitive information.", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.204", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Implement remediation plan, communicate status", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.205", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure that the change management process allows for scheduling remediation according to severity and urgency", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.206", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Update incident response plans and exercises to include \"malicious reporter\" and \"good faith\" scenarios", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.207", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Update Vulnerability Handling policy/procedures to include reporting, triage, and prioritization", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.208", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Update Vulnerability Management policy to include processing of externally reported vulnerabilities", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.031.300", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.031 – Integrate Coordinated Vulnerability Disclosure and Vulnerability Management", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Provide notice to system owners/administrators of vulnerability disclosure policies and activities", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "", "Function": "", "Activity Name": "", "(I)input/(P)process/(O)output": "", "Business Capability Statement": "", "Authoritative Source": "" }, { "Capability ID": "CYB.060.032.100", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "I", "Business Capability Statement": "Automatically and manually ingest reports from reporters to include in vulnerability management processes", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.200", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Ensure communication with reporter throughout the vulnerability management process", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.201", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Periodically collect and review vulnerability disclosure metrics for vulnerability management process improvement", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.202", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Consider developing and implmenting a Bug Bounty Program", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.203", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Verify report triage (false positive filtering)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.204", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Perform a base level of validation of the submitted report (“triage”)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.205", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Screen obviously junk (SPAM) reports", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.206", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Support for monetary awards funded by individual organization (“bug bounty”)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.207", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Track and record metrics, within the organization, throughout the report and remediation lifecycle", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.208", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Verify report activity matches organization vulnerability disclosure policy and update policy accordingly", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.209", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "P", "Business Capability Statement": "Allow for reporters to submit reports anonymously", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.300", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Generate sanitized (i.e. un attributed and scrubbed of sensitive information) status report to community (CISA for federal government)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.301", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Generate working acknowledgements to vulnerability reporter", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.302", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Publish vulnerability disclosure policy on internet-facing web domains, applications, and services", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.303", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Allow for ad-hoc reporting and/or expose API of report lifecycle metrics", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.304", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Allow for customizable metric threshold alerts to the organization", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.305", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce \"Top hackers\" report", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.306", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce periodic roll-up reports of community-wide metrics", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.307", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Produce sanitized (i.e. un attributed and scrubbed of sensitive information) status reports of individual submissions to product vendors and community (CISA)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.308", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Provide user interface for managing communications between reporters, organization, and community (CISA)", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.309", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Route unassigned reports to community (CISA) for external assignment", "Authoritative Source": "CSF PR.IP-12" }, { "Capability ID": "CYB.060.032.310", "Function": "CYB.060 – PROTECT - Information Protection Policy", "Activity Name": "CYB.060.032 – Operationalize Coordinated Vulnerability Disclosure", "(I)input/(P)process/(O)output": "O", "Business Capability Statement": "Implement/maintain researcher recognition program", "Authoritative Source": "CSF PR.IP-12" } ]