Coordinated Vulnerability Disclosure Process
CISA's CVD program coordinates the remediation and public disclosure of newly identified cybersecurity vulnerabilities in products and services with the affected vendor(s). This includes new vulnerabilities in industrial control systems (ICS), Internet of Things (IoT), and medical devices, as well as traditional information technology (IT) vulnerabilities. The goal of CISA's CVD program is to ensure that CISA, the affected vendor(s) and/or service provider(s), and the vulnerability reporter all disclose simultaneously, to ensure that users and administrators receive clear and actionable information in a timely manner.
Read our blog that discusses how cybersecurity researchers have a valuable role in this effort and encourages organizations to engage with them. Engaging with Security Researchers: Embracing a "See Something, Say Something" Culture, published October 23, 2024.
Process
The CISA coordinated vulnerability disclosure process involves five basic steps:
1. Collection: CISA collects vulnerability reports in three ways: CISA vulnerability analysis, monitoring public sources of vulnerability information, and direct reports of vulnerabilities to CISA. After receiving a report, CISA performs an initial analysis to assess a vulnerability's presence and compare with existing reports to identify duplicates. CISA then catalogs the vulnerability report, including all information that is known at that point.
2. Analysis: Once the vulnerability reports are catalogued, vendor(s) and CISA analysts work to understand the vulnerabilities by examining the technical issue and the potential risk the vulnerability represents.
3. Mitigation Coordination: After analyzing a vulnerability, CISA will continue to work with the affected vendor(s) for mitigation development and the issuance of patches or updates.
4. Application of Mitigation: When possible and where necessary, CISA may work with vendor(s) to facilitate sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to public disclosure.
5. Disclosure: In coordination with the source of the vulnerability report and the affected vendor(s), CISA will take appropriate steps to notify users about the vulnerability via multiple channels. CISA strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation for asset owners and operators. CISA will make references to available related information and correct misinformation where necessary.
Disclosure Timeline
Time frames for mitigation development and the type and schedule of disclosure may be affected by various factors. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to established standards may result in changes to the disclosure timeline. Other factors include, but are not limited to:
- whether the vulnerability has already been publicly disclosed, i.e. published by a researcher;
- potential impact to critical infrastructure, national security, or public health and safety;
- the availability of effective mitigations;
- vendor responsiveness and feasibility of developing an update or patch;
- vendor estimate of time required for customers to obtain, test and apply the patch.
The name and contact information of the vulnerability reporter will be provided to the affected vendors unless otherwise requested by the vulnerability reporter. CISA will advise the vulnerability reporter of significant changes in the status of any vulnerability reported, without revealing information provided in confidence by the affected vendor(s) or service provider(s).
Affected vendors will be apprised of any publication plans and alternate publication schedules will be negotiated with affected vendors as required.
In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for remediation, CISA may disclose vulnerabilities as early as 45 days after the initial attempt to contact the vendor is made regardless of the availability of a patch or update.
CVD and the Vulnerability Equities Process (VEP)
While CISA participates in the interagency VEP, vulnerability reports collected by CISA under this policy are not subject to adjudication by the VEP participants, per Section 5.4 of the VEP Charter.
Reporting A Vulnerability
CISA utilizes the Vulnerability Information and Coordination Environment (VINCE) as a secure method for sharing and coordinating vulnerability reports. VINCE is hosted by our partners at Carnegie Mellon Univserity's Software Engineering Institute (SEI).
To report a vulnerability and participate in the coordination, you will need to create a new VINCE account or sign-in to your existing account. You may also report a vulnerabilty anonymously by submitting a report without creating or signing into a VINCE account. However, anonymous reporters will be unable to participate in case discussions within the VINCE platform.
Click on the "Report a Vulnerability" button below to submit a new vulnerability report to VINCE.
Report a Vulnerability
Contact Us
While CISA recommends that all vulnerability reports are submitting via VINCE, you may choose to send an encrypted email to the following address central@cisa.gov using our public key
For more questions on this topic or CISA in general, please contact Central@cisa.gov. To report anomalous cyber activity and/or cyber incidents 24/7 email SayCISA@cisa.dhs.gov or by calling 1-844-Say-CISA (1-844-729-2472).