A coalition of security companies and advocacy groups has called on the National Institute of Standards and Technology to incorporate best practices on digital vulnerability disclosures into the agency’s updated Cybersecurity Framework, Nextgov reported Tuesday.
Joseph Marks writes the consortium urged NIST to add a section on procedures to receive, review and respond to vulnerability reports.
NIST sought public feedback on version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity and the agency plans to release a finalized framework this fall, Marks reported.
Vulnerability disclosure and handling processes would clarify existing elements of the framework and help organizations evaluate their readiness to respond to vulnerability information and communicate with stakeholders, the coalition said in a written comment published Monday.
The group added such processes can also give researchers and vulnerability discoverers “a clear channel to communicate vulnerabilities to technology providers and operators, reducing the risk of conflict or misunderstanding.”
The comment was signed by Cisco Systems, Symantec, Tenable, Bugcrowd, Cybereason, Duo Security, Grimm Security, HackerOne, Luta Security, Rapid7 and WhiteScope.
The coalition also includes Access Now, the Center for Democracy & Technology, the Electronic Frontier Foundation, I Am The Cavalry, the New America’s Open Technology Institute, the Niskanen Center, the Online Trust Alliance, Security of Things Forum and TechFreedom.