The FTC released public comments yesterday on the National Telecommunications and Information Administration’s (NTIA) draft “Early Stage” Coordinated Vulnerability Disclosure Template released in December 2016. The draft template was released by the NTIA Safety Working Group as part of a multistakeholder process that convened security researchers and software and system developers and owners to address security vulnerability disclosure.
The FTC’s comments highlighted the importance of coordinated vulnerability disclosure efforts, stating that “companies should communicate and coordinate with the security research community as part of a continuous process of detecting and remediating software vulnerabilities,” and cited its prior enforcement actions and Staff guidance on the subject. The FTC encouraged transparency in vulnerability reporting by both researchers and companies, and promoted the model vulnerability disclosure policy language in the draft template as “a useful asset for companies seeking to draft a public-facing vulnerability disclosure policy that helps forge common expectations with researchers regarding vulnerability handling timelines and processes.”
Continue Reading FTC Comments on NTIA’s Cybersecurity Vulnerability Disclosure Template