Develop and Maintain Vulnerability Disclosure Processes
Organisations must create and maintain procedures for reporting software vulnerabilities.
Plain language
This control is about setting up a system for people to report problems in your software, like bugs that hackers could exploit. It's important because if you know about these issues early, you can fix them before someone uses them to steal data or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Vulnerability disclosure processes, and supporting vulnerability disclosure procedures, are developed, implemented and maintained.
Why it matters
Without a defined vulnerability disclosure process, flaws may not be reported or coordinated, leaving them exploitable and increasing breach and service disruption risk.
Operational notes
Maintain public reporting channels and internal procedures to triage, validate and coordinate fixes, tracking acknowledgements, timelines and remediation to closure.
Implementation tips
- IT Team should create a reporting email or form on your website where people can report software issues. Make sure it's easy to use and find by putting it on a well-trafficked page like the Contact Us section.
- Managers should set up a clear process for reviewing and responding to reports. Assign a person or team to be responsible for checking the reports regularly and responding within a set timeframe, like two business days.
- System Owners should build a knowledge base or document that details common vulnerabilities and how they've been addressed in the past. Update this document whenever a new issue is resolved.
- Organisational Leaders should communicate the importance of the reporting system to all employees. Encourage staff to report any unusual software behaviour through staff meetings and newsletters.
- IT Support should work with system developers to prioritise fixing reported vulnerabilities. Use a simple tracking tool, like an Excel sheet, to track progress and ensure issues are resolved in a timely manner.
Audit / evidence tips
- AskTo see the vulnerability reporting procedure document GoodIncludes clear, step-by-step instructions with responsible team members named
- GoodShows timely and professional interactions with clear resolutions
- AskThe list of vulnerabilities addressed in the past year. Check how these were discovered, prioritised, and resolved GoodWill show a well-maintained record with dates and actions taken
- AskAbout staff training materials on reporting procedures GoodProvides training records with dates and attendance lists
- GoodContains detailed and up-to-date information about vulnerabilities and their solutions
Cross-framework mappings
How ISM-1756 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.24 | ISM-1756 requires organisations to develop, implement and maintain vulnerability disclosure processes and procedures for reporting softwa... | |
| Annex A 8.8 | Annex A 8.8 requires obtaining information on technical vulnerabilities, evaluating exposure, and taking appropriate measures to address ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.19 | ISM-1756 requires organisations to develop, implement and maintain vulnerability disclosure processes and procedures for reporting softwa... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.