Establish and Maintain a Process to Accept and Address Software Vulnerabilities
Description
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.
Implementation Checklist
Tool Recommendations
Application security platform with SAST, DAST, SCA, and developer training for secure software development
Veracode · Per-application subscription
Cloud-native application security platform with SAST, SCA, DAST, API security, and supply chain security testing
Checkmarx · Per-developer subscription
Developer-first application security with SCA, container scanning, IaC security, and SAST integrated into CI/CD
Snyk · Per-developer subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Publicly Disclosed Vulnerability in Custom Application Goes Unremediated
ConfidentialityA security researcher publicly discloses a vulnerability in the organization's application after responsible disclosure attempts fail because no process exists to receive and triage vulnerability reports.
Zero-Day Exploit Targeting Unreported Application Flaw
IntegrityAn attacker discovers and exploits a vulnerability that had been reported by a user but was never processed because the organization has no intake mechanism for vulnerability reports.
Vulnerabilities (When Safeguard Absent)
No Vulnerability Intake and Handling Process
Without a process to accept and address software vulnerability reports, the organization cannot receive, triage, or remediate reported flaws, leaving known vulnerabilities unpatched.
No External Vulnerability Reporting Mechanism
Absence of a public-facing channel for external researchers to report vulnerabilities means the organization misses early warnings about exploitable flaws in its applications.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Vulnerability scan reports showing scope and findings | Per scan cycle |
| Record | Vulnerability remediation tracking with SLA compliance metrics | Monthly |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |