ANSI - INCITS/ISO/IEC TR 5895
Cybersecurity - Multi-party coordinated vulnerability disclosure and handling
| Organization: | ANSI |
| Publication Date: | 1 January 2022 |
| Status: | active |
| Page Count: | 24 |
scope:
This document clarifies and increases the application and implementation of ISO/IEC 30111 and ISO/IEC 29147 in multi-party coordinated vulnerability disclosure (MPCVD) settings, including the evolving commonly adopted practices in this area, by articulating:
- The MPCVD life cycle and application of coordinated vulnerability disclosure (CVD) stages (preparation, receipt, verification, remediation2) development, release, post-release) in MPCVD settings.
- Stakeholders involved in MPCVD include users, vendors (coordinating, mitigating, and dependent vendors), reporters, and non-vendor coordinators (entities defined in ISO/IEC 29147 and ISO/IEC 30111).
- The exchange of information between stakeholders during the vulnerability handling and disclosure process in a MPCVD settings.
Clarifying the application of ISO/IEC 30111 and ISO/IEC 29147 in MPCVD settings illustrates the benefits of vulnerability disclosure processes.
2) Remediation is a defined term used in ISO/IEC 30111 and ISO/IEC 29147. This document uses the term "remediation" and verb "remediate" in the context of this definition.
Document History
