Develop and Maintain a Vulnerability Disclosure Policy
Organisations create and sustain a policy for reporting software vulnerabilities securely.
Plain language
A vulnerability disclosure policy is like an invitation for people to let you know about weaknesses in your software in a safe and organised way. This is crucial because if these vulnerabilities are not reported and fixed, they could be exploited by malicious people, potentially leading to data breaches or system failures.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
A vulnerability disclosure policy is developed, implemented and maintained.
Why it matters
Without a vulnerability disclosure policy, external researchers may not report flaws, leaving vulnerabilities unaddressed and increasing likelihood of compromise or data breach.
Operational notes
Publish a clear disclosure policy with reporting channels, triage/response timeframes and safe-harbour; review and update it regularly as systems and contacts change.
Implementation tips
- The organisation's management team should establish a clear policy for disclosing software vulnerabilities. This policy should outline what information to collect, how to protect the privacy of the reporters, and who in the organisation will handle these reports. Make sure the policy is written in clear language and is easily accessible to everyone involved.
- The communications or IT team should set up a dedicated channel, such as a specific email address, for receiving vulnerability reports. This ensures that people know where to send their findings, and the organisation can track reports efficiently. Advertise this contact information on your website and any relevant documentation.
- Appoint a responsible team or individual within the IT department to handle incoming vulnerability reports. This person or team should review each report, assess its validity, and coordinate any required response or remediation within the organisation. Regularly train this team on best practices for handling sensitive information.
- The IT team should work on a step-by-step process for verifying and resolving reported vulnerabilities. This process might include verifying the existence of a vulnerability, evaluating its impact, and prioritising fixes accordingly. Document each step to ensure consistent handling of each report.
- The management team should communicate policy updates and changes with all staff involved periodically. Hosting regular training sessions around this policy helps ensure everyone understands their role and responsibilities. This keeps the team ready and informed when vulnerabilities are reported.
Audit / evidence tips
-
Askthe official vulnerability disclosure policy document: Check if it clearly explains the process of vulnerability reporting and management
Gooda document that is dated, includes an official version number, and has been reviewed and approved by management
-
Askrecords of communication channels: Request evidence of how the dedicated vulnerability report channels are publicised
Goodshows clear and consistent communication of contact information in a public and easy-to-find manner
-
Aska list of vulnerability reports received: Inspect the list for details such as dates, vulnerability descriptions, and actions taken. Good means seeing recent entries that show active report handling with response timelines and status updates
-
Askto see the documented process for verifying and resolving vulnerabilities
-
Askabout recent training sessions on the vulnerability disclosure policy
Cross-framework mappings
How ISM-1755 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.5 | ISM-1755 requires organisations to develop, implement and maintain a vulnerability disclosure policy to enable secure reporting and coord... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.36 | ISM-1755 requires a vulnerability disclosure policy to be developed, implemented and maintained over time | |
| Annex A 8.8 | ISM-1755 requires organisations to develop, implement and maintain a vulnerability disclosure policy for receiving and handling reported ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.