RV.1.3—Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
RV.1
>Control Description
Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
>Practice: RV.1
Identify and Confirm Vulnerabilities on an Ongoing Basis
Help ensure that vulnerabilities are identified more quickly so that they can be remediated more quickly in accordance with risk, reducing the window of opportunity for attackers.
>Notional Implementation Examples
- 1.Establish a vulnerability disclosure program, and make it easy for security researchers to learn about your program and report possible vulnerabilities.
- 2.Have a Product Security Incident Response Team (PSIRT) and processes in place to handle the responses to vulnerability reports and incidents, including communications plans for all stakeholders.
- 3.Have a security response playbook to handle a generic reported vulnerability, a report of zero-days, a vulnerability being exploited in the wild, and a major ongoing incident involving multiple parties and open-source software components.
- 4.Periodically conduct exercises of the product security incident response processes.
>Cross-Framework References
Mappings to related frameworks and standards from NIST SP 800-218
BSA FSS
VM.1-1
VM.2
BSIMM
CMVM1.1
CMVM2.1
CMVM3.3
CMVM3.7
EO 14028
4e(viii)
4e(ix)
IEC 62443
DM-1
DM-2
DM-3
DM-4
DM-5
ISO 29147
All
ISO 30111
All
Microsoft SDL
12
NIST Labels
2.2.2.3
OWASP MASVS
1.11
OWASP SAMM
IM1-A
IM1-B
IM2-A
IM2-B
PCI SSLC
9.2
9.3
SAFECode FPSSD
Vulnerability Response and Disclosure
SP 800-53
SP 800-160
3.3.8
SP 800-161
SA-15(10)
SP 800-181 (NICE)
K0041
K0042
K0151
K0292
K0317
S0054
A0025
SP 800-216
All
Ask AI
Configure your API key to use AI features.