CoP 2: Implement a vulnerability disclosure policy

All companies that provide internet-connected devices and services shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues. Disclosed vulnerabilities should be acted on in a timely manner.

Knowing about a security vulnerability allows companies to respond. Companies should also continually monitor for, identify and rectify security vulnerabilities within their own products and services as part of the product security lifecycle. Vulnerabilities should be reported directly to the affected stakeholders in the first instance. If that is not possible vulnerabilities may be reported to national authorities. Further details of the different approaches to take in different circumstances are included in the explanatory notes. Companies are also encouraged to share information with competent industry bodies.

Primarily applies to: Device Manufacturers, IoT Service Providers and Mobile Application Developers

View a full-screen version of this mapping

Download this data 

v4 (JSON) (CSV) (ODS)

v3 (JSON) (CSV) (ODS)

v2 (JSON) (CSV) (ODS)

v1 (JSON) (CSV) (ODS)

search previous next tag category expand menu location phone mail time cart zoom edit close