Function: Vulnerability disclosure policy and infrastructure maintenance (3699e27e-0ff9-5fb0-ba84-90e94406f774)
CSIRTs that handle vulnerability reports should define their vulnerability disclosure policy and make that policy available to its constituents, stakeholders, and CVD participants, preferably by publishing it on the CSIRT’s website. The vulnerability disclosure policy will provide transparency to stakeholders and help to promote appropriate disclosure policies. Policies can range from no disclosure, where no vulnerability information is disclosed, to limited disclosure, where only some information is made available, to full disclosure, where all information is disclosed, which may include proof-of-concept exploits. The disclosure policy should include factors such as the scope of the policy, references to any reporting mechanisms and guidelines, and expected timeframes and mechanisms for the disclosure of the vulnerability.