Vulnerability Disclosure/Reporting Policy and SOPs?

Can you please consider implementing a Vulnerability Disclosure/Reporting Policy including associated reporting and handling SOPs?

Some Examples:

Sure thing. Let me put that on my todo list.

@adam
Given the recent security vulnerability, is there any change to this item on your roadmap?

Having an industry standard Vulnerability Response & Disclosure Policy, as well requesting CVE IDs/publishing CVEs for vulnerabilities, would be very helpful for ISO 27001:2015 A.15.1.1-3, A.15.2 and ISO 9001:2016 8.4.1 compliance. This is rapidly becoming a common question auditors are asking when vetting assessments of suppliers, and not just for ISO but other security related stuff as well.

There hasn’t been a change here and I agree it’s something that is important. I’ll put an issue in our milestone for this month to provide a policy for this.

1 Like