Implementing a Vulnerability Disclosure Program
Create a program to find and fix software issues to keep products secure.
Plain language
A vulnerability disclosure program is like having a feedback mechanism for your software, where users can report any security issues they find. This is important because if nobody reports these vulnerabilities, bad actors might exploit them, leading to data breaches or other security incidents.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
July 2020
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
A vulnerability disclosure program is implemented to assist with the secure development and maintenance of products and services.
Why it matters
Without a vulnerability disclosure program, researchers lack a safe reporting path, so flaws stay hidden or are exploited, leading to breaches and loss.
Operational notes
Triage and validate disclosures, set severity and fix SLAs, acknowledge reporters promptly, and publish a clear reporting channel and safe-harbour rules.
Implementation tips
- The business owner should appoint a responsible person to oversee the vulnerability disclosure program, ensuring someone is accountable for its success. This person should have good communication skills and basic knowledge of the organisation’s software products.
- The IT team should create a clear and accessible way for the public to report security issues, such as a dedicated email address or online form. Ensure this contact point is easy to find on the organisation’s website and is monitored regularly.
- The assigned manager should develop a policy outlining how to handle reported vulnerabilities. This policy should include steps for initial verification, assessment, and remediation of issues and detail how to communicate with the person who reported the vulnerability.
- Finance or HR should allocate resources for training staff involved in the program. Training should cover the importance of addressing vulnerabilities promptly and the specific procedures to follow when a report is received.
- IT managers should establish a timeline for reviewing and resolving reported vulnerabilities. This timeline should prioritise issues based on their severity and potential impact, aiming to address critical vulnerabilities as quickly as possible.
Audit / evidence tips
- AskThe vulnerability disclosure program policy document GoodPolicy is clearly defined, with roles and responsibilities assigned and timelines for responses
- GoodIs a visible and functioning contact point designed for ease of use by the public
- AskRecords of reported vulnerabilities and corresponding actions taken GoodRecord shows timely responses and resolutions aligned with the assigned severity level
- GoodExample includes thanking the reporter and keeping them informed throughout the process
- AskTraining records of staff involved in the program
Cross-framework mappings
How ISM-1616 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.8 | ISM-1616 requires organisations to implement a vulnerability disclosure program so external and internal researchers can report product/s... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.25 | ISM-1616 requires a formal vulnerability disclosure program to help securely develop and maintain products and services by receiving and ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.