Introduction: The Twin Standards of Coordinated Vulnerability Disclosure
ISO/IEC 29147 (Information technology — Security techniques — Vulnerability disclosure) and ISO/IEC 30111 (Information technology — Security techniques — Vulnerability handling processes) are the two internationally recognised standards that together define how an organisation should receive information about potential vulnerabilities in its products and online services, and how it should investigate, remediate and publicly disclose those vulnerabilities. Where 29147 is externally facing — describing the interface between a vendor and the outside world (finders, researchers, coordinators, users) — 30111 is internally facing, describing the disciplined engineering process that runs behind that interface. Neither standard makes sense in isolation: a slick disclosure front-end with no repeatable handling process merely generates broken promises, and a rigorous handling process with no disclosure channel means the organisation never hears about the vulnerabilities it is so well-equipped to fix.
The current editions are ISO/IEC 29147:2018 and ISO/IEC 30111:2019. Both were revised from their 2013/2014 first editions to align terminology, embrace the language of Coordinated Vulnerability Disclosure (CVD), and reflect the maturity of bug-bounty programmes, third-party coordinators (such as national CERTs and CERT/CC) and the Common Vulnerabilities and Exposures (CVE) ecosystem. This guide treats the two standards as a single operating model — the vulnerability disclosure and handling lifecycle — because that is how an auditor assesses them and how a product security team must implement them. It is written for both the assessor validating conformance and the product/PSIRT team building the capability from scratch.
What is Vulnerability Disclosure (ISO/IEC 29147 & 30111)?
Vulnerability disclosure is the process by which knowledge of a security weakness in a product or service moves from the person who found it (the finder or reporter) to the party that can fix it (the vendor or service operator), and ultimately — in a controlled, coordinated fashion — to the users and the wider public who need to protect themselves. The twin standards codify this so that the process is predictable, respectful of all parties, and repeatable across an organisation's entire portfolio rather than being reinvented in a panic every time a researcher sends an email.
ISO/IEC 29147 focuses on the disclosure interface and communications. It specifies how a vendor should advertise the ability to receive reports, how it should acknowledge and respond to finders, and what information a security advisory should contain so that users can make informed remediation decisions. Its central concepts are the receipt of vulnerability reports, the ongoing communication with reporters and coordinators, and the publication of vulnerability advisories.
ISO/IEC 30111 focuses on the handling process. It describes the organisational structure and workflow needed to receive a report, verify and triage it, investigate root cause and scope, develop and test a remediation, and release that remediation in coordination with disclosure. It emphasises that vulnerability handling is a cross-functional business process — not merely a task for a security team — spanning engineering, legal, communications, support and executive management.
Together they establish Coordinated Vulnerability Disclosure (CVD): a model in which finder and vendor cooperate, a remediation is prepared before public disclosure where feasible, and the release of advisory and fix is timed to minimise the window in which users are exposed to a known-but-unpatched flaw. This contrasts with 'full disclosure' (immediate public release regardless of a fix) and 'non-disclosure' (concealment), both of which the standards implicitly discourage in favour of coordination.
Who Must Comply
Neither standard is legally mandatory in itself, but conformance to ISO/IEC 29147 and 30111 is increasingly demanded by regulators, procurement frameworks and customers. Adoption is effectively obligatory for any organisation that ships software, firmware, hardware or online services to third parties. The table below summarises who is in scope and why.
| Category of organisation | Why disclosure & handling applies | Typical external driver |
|---|---|---|
| Commercial software & SaaS vendors | Products contain vulnerabilities that finders will report; customers expect advisories | Customer security addenda; ISO/IEC 27001 A.8.8; app-store rules |
| Hardware, IoT & OT/ICS manufacturers | Firmware defects have long field life and safety impact | EU CRA, ETSI EN 303 645, IEC 62443-4-1, US EO 14028 |
| Medical device manufacturers | Patient-safety consequences of unpatched flaws | US FDA premarket cyber guidance; MDCG 2019-16; TGA |
| Automotive & connected-vehicle makers | Safety-critical, regulated cyber requirements | UNECE R155/R156 (CSMS); ISO/SAE 21434 |
| Government & public-sector bodies | National directives increasingly mandate a VDP | US BOD 20-01; CERT-In directions; DPDP obligations (India) |
| Critical infrastructure operators | Sector regulators require reporting & handling | NIS2 (EU), CERT-In (India), sector CSIRTs |
| National CERTs / coordinators | Act as third-party coordinators in multi-party CVD | FIRST membership; national mandate |
| Open-source projects & maintainers | Downstream consumers need advisories and CVEs | OpenSSF Scorecard; security.md expectations |
Structure of the Vulnerability Disclosure & Handling Standards
The standards are not organised as a list of numbered 'controls' in the way ISO/IEC 27001 Annex A is. Instead each standard defines a set of concepts, process phases, and requirements/recommendations. For assessment purposes it is useful to decompose them into logical domains. The table below maps the domains an auditor typically evaluates, indicating which standard each domain draws from.
| Domain (assessment view) | Source standard | Nature of requirements | Core outcome |
|---|---|---|---|
| Policy & governance | 29147 + 30111 | Establish, publish and maintain a disclosure policy | Documented VDP with scope and safe-harbour |
| Report receipt / intake capability | 29147 | Provide and advertise reporting channels | Discoverable, reliable, secure intake |
| Reporter communication | 29147 | Acknowledge, update and coordinate with finders | Timely, respectful two-way dialogue |
| Vulnerability advisory publication | 29147 | Content, format and distribution of advisories | Actionable public advisories with identifiers |
| Handling process organisation | 30111 | Cross-functional roles and workflow | A repeatable multi-phase handling process |
| Triage & verification | 30111 | Confirm, prioritise and scope reports | Validated, ranked vulnerability inventory |
| Remediation development | 30111 | Root-cause, fix, regression and variant analysis | Tested remediation ready to release |
| Release & coordination | 30111 + 29147 | Synchronise fix release with disclosure | Coordinated, minimal-exposure release |
| Post-release & continual improvement | 30111 | Monitoring, lessons learned, metrics | Feedback loop into engineering & policy |
| Multi-party coordination | 29147 + 30111 | Coordinators, shared components, embargoes | Fair handling across affected vendors |
Master Assessment Checklist
This is the core of the guide. Each h3 below corresponds to a domain of the twin standards. For every domain a table enumerates the specific items an assessor verifies alongside the typical evidence an implementer should produce. Nothing is skipped: intake, communication, advisory content, the full 30111 handling phases, multi-party coordination and continual improvement are all covered. Use these tables both as an audit programme and as an implementation backlog.
D1 — Vulnerability Disclosure Policy & Governance
| What to verify | Typical evidence |
|---|---|
| A written vulnerability disclosure policy (VDP) exists and is approved by management | Signed policy document; management sign-off record |
| The policy defines scope: which products, versions and services are in and out of scope | Scope statement / asset list within the VDP |
| The policy states expected finder conduct and prohibited actions (no data exfiltration, no service disruption) | Rules-of-engagement section |
| Safe-harbour / non-prosecution language is present for good-faith research | Legal-reviewed safe-harbour clause |
| The policy commits to indicative response and remediation timelines | SLA table inside VDP (e.g. acknowledge in X days) |
| The policy is reviewed on a defined cadence and version-controlled | Review log; document version history |
| Roles and executive ownership of disclosure are assigned | RACI; PSIRT charter naming an accountable owner |
D2 — Report Receipt & Intake Capability (29147)
| What to verify | Typical evidence |
|---|---|
| At least one reporting channel is provided (form, email alias, portal, or coordinator) | Live intake form / security@ alias / bug-bounty portal |
| The channel is discoverable via well-known locations | Published security.txt (RFC 9116) at /.well-known/security.txt |
| Intake supports secure/encrypted submission of sensitive detail | PGP key or TLS-protected form; documented crypto option |
| Intake is monitored and does not silently drop reports | Ticket auto-creation logs; monitoring alert config |
| The organisation can receive reports even without a formal bounty | Documented email fallback; coordinator routing |
| Intake availability is resilient (not dependent on one individual) | Shared mailbox / rota; on-call coverage evidence |
| Received reports are logged with a unique tracking identifier | Case-management records showing per-report IDs |
D3 — Reporter (Finder) Communication (29147)
| What to verify | Typical evidence |
|---|---|
| Reports are acknowledged to the finder within the stated timeframe | Acknowledgement emails with timestamps vs SLA |
| The finder receives status updates through the lifecycle | Communication log / thread per case |
| A single point of contact or reference number is given to the finder | Ticket reference shared with reporter |
| Coordination on public-disclosure timing is negotiated, not dictated | Correspondence agreeing an embargo/disclosure date |
| Credit / recognition preferences of the finder are captured and honoured | Credit-preference field; published acknowledgements page |
| Confidentiality expectations are communicated to both parties | Embargo notice in reporter correspondence |
| Escalation path exists for disputes or non-response | Documented escalation to coordinator/CERT |
D4 — Vulnerability Advisory Publication (29147)
| What to verify | Typical evidence |
|---|---|
| A defined advisory template exists with mandatory fields | Advisory template document |
| Advisories identify affected products and versions precisely | Sample published advisory listing versions |
| A vulnerability identifier is assigned (CVE or vendor ID) | CVE ID in advisory; CNA records if a CNA |
| Severity/impact is communicated (e.g. CVSS vector and score) | CVSS v3.1/v4.0 vector in advisory |
| Remediation and mitigation/workaround guidance is provided | Remediation section with patch links |
| Advisories are published through advertised, stable channels | Advisory page / RSS / mailing list archive |
| Advisory timing is coordinated with fix availability | Release-vs-advisory timeline record |
| Machine-readable advisory formats are considered (CSAF/VEX) | CSAF 2.0 document; VEX statements |
D5 — Handling Process Organisation (30111)
| What to verify | Typical evidence |
|---|---|
| A documented vulnerability-handling process exists end to end | Process/SOP document with phase definitions |
| The process is cross-functional (engineering, legal, comms, support, exec) | RACI covering all functions; meeting records |
| A PSIRT or equivalent coordinating function is established | PSIRT charter; team roster; FIRST/SIG alignment |
| Handling covers products no longer in active development | End-of-life handling policy |
| The process handles vulnerabilities in third-party/upstream components | Upstream escalation records; SBOM linkage |
| Confidentiality and information-handling controls apply to case data | Access-control on case system; need-to-know policy |
| Process performance is measured and reviewed by management | Metrics dashboard; management review minutes |
D6 — Triage & Verification (30111 Phase)
| What to verify | Typical evidence |
|---|---|
| Every report is verified for reproducibility and validity | Triage notes; reproduction steps recorded |
| Duplicate and previously-known reports are identified and merged | Deduplication log; linkage to prior cases |
| Impact and affected scope (products, versions, configs) are assessed | Scope analysis in the case record |
| A prioritisation / severity method is applied consistently | CVSS scoring worksheet; internal priority matrix |
| Out-of-scope or non-security reports are closed with rationale | Closure notes; reporter notification |
| Triage decisions and timelines meet defined targets | SLA compliance report for triage stage |
D7 — Remediation Development (30111 Phase)
| What to verify | Typical evidence |
|---|---|
| Root-cause analysis is performed, not just symptom fixing | RCA document per vulnerability |
| Variant analysis searches for the same flaw elsewhere in the codebase | Variant-analysis findings; related-issue tickets |
| A remediation (patch/config/mitigation) is developed and code-reviewed | Merge request; peer-review record |
| Regression and security testing validate the fix | Test results; security regression suite output |
| Backporting to supported branches/versions is considered | Backport tickets across maintained versions |
| Interim mitigations are documented where a full fix is delayed | Workaround guidance draft |
| Fix quality is gated before release (no new vulnerabilities introduced) | QA sign-off; SAST/DAST scan results |
D8 — Release & Disclosure Coordination (30111 + 29147)
| What to verify | Typical evidence |
|---|---|
| Fix release and advisory publication are synchronised | Release runbook aligning both events |
| Disclosure timing is agreed with finder and coordinators | Signed-off disclosure date; embargo agreement |
| Downstream/OEM consumers are notified ahead of public disclosure where needed | Pre-notification distribution list & records |
| Emergency / out-of-band release path exists for actively-exploited flaws | OOB release procedure; example incident |
| Advisory, CVE and patch cross-reference each other | Consistent identifiers across artefacts |
| Customers can reliably obtain the remediation | Patch distribution channel; update mechanism |
D9 — Post-Release & Continual Improvement (30111)
| What to verify | Typical evidence |
|---|---|
| Post-disclosure monitoring detects incomplete fixes / bypasses | Reopened-case records; follow-up advisories |
| Lessons-learned reviews feed back into secure development | Retrospective notes; SDLC change requests |
| Recurring root causes drive systemic engineering improvements | Trend analysis; hardening backlog items |
| Metrics (time-to-fix, backlog, reopen rate) are tracked over time | KPI history; trend charts |
| The disclosure policy and process are updated based on experience | Change log linking incidents to policy edits |
| Reporter feedback on the process is solicited and actioned | Researcher satisfaction survey; action list |
D10 — Multi-Party & Coordinator Handling (29147 + 30111)
| What to verify | Typical evidence |
|---|---|
| A process exists to engage third-party coordinators (CERT/CC, national CERT) | Coordinator engagement procedure & contacts |
| Shared-component vulnerabilities trigger notification of all affected vendors | Multi-vendor notification records |
| Embargo management across multiple parties is coordinated | Embargo tracker; shared disclosure calendar |
| The organisation can act as either reporter or receiver in coordinated cases | Examples of both inbound and outbound coordination |
| Fair, non-preferential treatment across affected parties is maintained | Coordination policy; equal-notification evidence |
| Handoff of cases to/from coordinators is documented | Case transfer records with coordinator |
Scoping the Disclosure & Handling Programme
Scoping determines which assets, products, services and third-party relationships fall under the disclosure policy and the handling process. Under-scoping (excluding legacy or acquired products) leaves blind spots that finders will inevitably probe; over-scoping stretches the PSIRT beyond its capacity and erodes response times. A defensible scope is explicit, asset-driven and reviewed as the portfolio changes.
- Enumerate all products, product versions, firmware, APIs and online services offered to third parties, and record their support/EOL status.
- Decide which are in-scope for accepting reports and which are explicitly out of scope, and state this in the published policy.
- Map dependencies and third-party/open-source components (via SBOM) that could carry inherited vulnerabilities.
- Define the boundary with the internal incident-response process — a disclosed vulnerability may escalate into a live security incident.
- Clarify geographic and regulatory scope (e.g. CERT-In reporting duties in India, EU CRA obligations) that overlay the standards.
- Identify multi-party scenarios (shared libraries, OEM/white-label relationships) requiring coordinator involvement.
- Set out-of-scope exclusions clearly (e.g. social-engineering, physical attacks, third-party-hosted assets) to manage reporter expectations.
Implementation Approach (Phased)
Building a conformant disclosure and handling capability is best done in phases. Each phase below lists its key activities and the deliverables an auditor will later request as evidence.
Phase 1 — Foundation & Governance
- Activities: secure executive sponsorship; establish (or formalise) a PSIRT; draft the vulnerability disclosure policy; obtain legal review of safe-harbour language; define roles via a RACI.
- Deliverables: approved VDP; PSIRT charter; RACI matrix; legal safe-harbour clause; management sign-off record.
Phase 2 — Intake & Communication Interface (29147)
- Activities: stand up reporting channels (form/alias/portal); publish security.txt; provision a PGP key; integrate intake with a case-management system; define acknowledgement and status-update SLAs.
- Deliverables: live intake channel; published /.well-known/security.txt; case-management workflow; SLA definitions; reporter communication templates.
Phase 3 — Handling Process (30111)
- Activities: document the end-to-end handling workflow (triage, verification, remediation, testing, release); define severity/CVSS scoring; establish root-cause and variant-analysis practice; connect to the secure SDLC and QA gates.
- Deliverables: handling SOP; triage & scoring guide; RCA template; test/QA gate definitions; escalation procedure.
Phase 4 — Advisory & Coordination Capability
- Activities: create the advisory template; become or engage a CVE CNA; adopt machine-readable advisory formats (CSAF/VEX); establish coordinator relationships and embargo management; build downstream notification lists.
- Deliverables: advisory template; CVE/CNA process; CSAF pipeline; coordinator contact register; embargo tracker.
Phase 5 — Operate, Measure & Improve
- Activities: run the programme live; capture KPIs; conduct post-incident retrospectives; feed recurring root causes into engineering hardening; review and update policy periodically.
- Deliverables: KPI dashboard; retrospective reports; management-review minutes; policy version history; researcher feedback records.
Maturity / Capability Model
The standards themselves are not tiered, but assessors commonly grade a disclosure and handling programme against a five-level capability model. This helps organisations benchmark and plan improvement. The model below is a CyberSigma assessment construct aligned to the intent of 29147 and 30111.
| Level | Name | Characteristics | Indicative evidence |
|---|---|---|---|
| 1 | Initial / Ad hoc | No policy; reports handled reactively by whoever notices; no SLAs | Occasional email threads; no case system |
| 2 | Reactive | Basic intake (security@) and informal handling; inconsistent response | Shared mailbox; sporadic acknowledgements |
| 3 | Defined | Published VDP, documented 30111 process, advisory template, CVSS scoring | VDP, SOP, security.txt, sample advisories |
| 4 | Managed | SLAs met and measured; CNA status; coordinator engagement; metrics reviewed | KPI dashboard; embargo tracker; CNA records |
| 5 | Optimised | Continual improvement; variant analysis; machine-readable advisories; researcher-friendly programme | CSAF/VEX pipeline; trend-driven hardening; bounty maturity |
Assessment & Audit Approach
A conformance assessment against ISO/IEC 29147 and 30111 follows a structured sequence, combining documentation review with process walkthroughs and live-case sampling.
- Define the assessment scope: which products, services and organisational units are covered, and confirm the standards' editions in use.
- Review the published disclosure policy, security.txt and intake channels for existence, discoverability and completeness.
- Examine the documented 30111 handling process and PSIRT charter, mapping each phase to responsible roles.
- Sample recent vulnerability cases end to end — from intake through triage, remediation, release and advisory — to test process adherence.
- Test reporter communication: verify acknowledgements, status updates, credit handling and disclosure-timing coordination against SLAs.
- Assess advisory quality: identifiers, affected-version accuracy, CVSS scoring, remediation guidance and coordinated timing.
- Evaluate multi-party and coordinator handling, embargo management and downstream notification where applicable.
- Review metrics, management reviews and continual-improvement evidence to confirm the process is measured and maturing.
- Document findings, non-conformities and observations; rate maturity; and agree a remediation plan with owners and dates.
Evidence Request List
Assessors typically request the following categorised evidence in advance of fieldwork. Implementers should treat this as a readiness inventory.
- Governance: approved vulnerability disclosure policy; PSIRT charter; RACI; management-review minutes; policy version history.
- Intake: screenshots/links of reporting channels; published security.txt; PGP key details; case-management configuration.
- Communication: sample reporter correspondence showing acknowledgement and updates; credit/acknowledgements page; embargo notices.
- Handling process: end-to-end handling SOP; triage and CVSS scoring guides; RCA and variant-analysis templates; QA/security test gates.
- Advisories: advisory template; published advisories; CVE/CNA records; CSAF/VEX artefacts if used.
- Coordination: coordinator contact register; multi-vendor notification records; embargo tracker; downstream notification lists.
- Metrics & improvement: KPI dashboards; SLA-compliance reports; retrospective/lessons-learned reports; researcher feedback.
- Case sample: a set of closed and in-flight vulnerability cases with full audit trail for walkthrough.
Roles & Responsibilities
| Role | Primary responsibilities | Standard emphasis |
|---|---|---|
| Executive sponsor / CISO | Own the VDP; allocate resources; accountable for disclosure outcomes | Governance (both) |
| PSIRT lead / coordinator | Run the handling process; coordinate cross-functional response | 30111 process ownership |
| Triage analyst | Validate, deduplicate, scope and score incoming reports | 30111 triage phase |
| Product / engineering team | Root-cause analysis, remediation development, variant analysis | 30111 remediation phase |
| QA / security testing | Validate fixes and prevent regressions before release | 30111 remediation quality gate |
| Communications / PR | Draft and time public advisories and messaging | 29147 advisory publication |
| Legal / compliance | Safe-harbour language, regulatory reporting, embargo terms | 29147/30111 governance |
| Support / customer success | Distribute remediation and field customer queries | 29147 release & user comms |
| Finder / external researcher | Report responsibly; coordinate disclosure timing | 29147 reporter interface |
| Third-party coordinator (CERT) | Facilitate multi-party CVD and embargoes | 29147/30111 coordination |
KPIs to Track
- Time-to-acknowledge: median and 90th-percentile time from report receipt to finder acknowledgement, against SLA.
- Time-to-triage: time from receipt to validated severity and scope decision.
- Time-to-remediate (mean time to remediate): time from validation to available fix, segmented by severity.
- Time-to-disclose: time from remediation availability to public advisory (coordinated window).
- Open vulnerability backlog and its age distribution.
- Reopen / regression rate: proportion of advisories requiring a follow-up fix (incomplete-fix indicator).
- Report validity rate: share of inbound reports that are valid, unique vulnerabilities.
- Advisory completeness: percentage of advisories with CVE ID, CVSS vector and remediation guidance.
- Coverage: percentage of in-scope products with an active, documented disclosure channel.
- Researcher satisfaction / repeat-reporter rate as a proxy for programme health.
Readiness Checklist
- A management-approved vulnerability disclosure policy is published and version-controlled.
- Reporting channels are live and discoverable via security.txt (RFC 9116).
- Secure submission (PGP/TLS) is available for sensitive reports.
- Acknowledgement and status-update SLAs are defined and being met.
- A PSIRT (or equivalent) with a documented charter and RACI is in place.
- An end-to-end 30111 handling process (triage, remediation, testing, release) is documented and followed.
- Root-cause and variant analysis are standard practice for every remediation.
- A CVSS-based severity model and consistent prioritisation are applied.
- An advisory template with CVE ID, affected versions, CVSS and remediation exists.
- CVE assignment (via CNA or a CNA-of-last-resort) is in place.
- Coordinated disclosure timing is negotiated with finders and coordinators.
- Multi-party and downstream notification procedures exist for shared components.
- KPIs are captured and reviewed by management on a defined cadence.
- Retrospectives feed lessons learned into the secure SDLC and policy updates.
- Machine-readable advisory formats (CSAF/VEX) are adopted or planned.
Common Gaps
- No published disclosure channel — finders resort to social media or full disclosure because they cannot find a way to report.
- security.txt absent or pointing to an unmonitored mailbox, so reports are silently lost.
- A disclosure front-end with no underlying 30111 handling process, producing acknowledgements but no fixes.
- Missing safe-harbour language, deterring good-faith researchers or provoking legal disputes.
- Symptom-only fixes with no root-cause or variant analysis, leading to repeated related vulnerabilities.
- Advisories lacking CVE IDs, precise affected versions or CVSS scoring, leaving users unable to prioritise.
- Uncoordinated disclosure timing that either exposes users to unpatched flaws or burns finder goodwill.
- No handling for end-of-life products or third-party/open-source components carrying inherited vulnerabilities.
- Over-reliance on a single individual, so intake and coordination stall during absence.
- No metrics or management review, so SLA breaches and backlog growth go unnoticed.
- Poor multi-party coordination on shared components, causing unfair or premature disclosure across vendors.
- No feedback loop into the secure SDLC, so the same classes of vulnerability keep recurring.
Vulnerability Disclosure Mapped to Other Frameworks
ISO/IEC 29147 and 30111 dovetail with numerous other standards and regulations. Mapping them helps organisations reuse evidence and satisfy overlapping obligations.
| Framework / regulation | Relevant element | Relationship to 29147/30111 |
|---|---|---|
| ISO/IEC 27001:2022 | Annex A 8.8 (management of technical vulnerabilities), A 5.7 threat intel | 27001 requires vuln management; 29147/30111 operationalise external disclosure & handling |
| NIST SSDF (SP 800-218) | RV practices (Respond to Vulnerabilities) | SSDF RV.1-RV.3 align directly with 30111 handling and 29147 disclosure |
| NIST SP 800-216 | Federal vulnerability disclosure guidelines | US-federal implementation guidance consistent with 29147/30111 |
| EU Cyber Resilience Act (CRA) | Coordinated vulnerability disclosure & reporting duties | CRA mandates a CVD policy — directly satisfied by 29147/30111 conformance |
| ISO/SAE 21434 & UNECE R155 | Cybersecurity management system, vulnerability handling | Automotive CSMS requires handling/disclosure fulfilled via 30111 |
| IEC 62443-4-1 | DM (Defect Management) practices for OT product security | 62443-4-1 defect handling maps to 30111 process |
| FDA premarket cybersecurity | Coordinated disclosure for medical devices | Device VDP expectations satisfied by 29147/30111 |
| US CISA BOD 20-01 | Federal agency VDP requirement | Requires a VDP as described by 29147 |
| CERT-In directions (India) | Incident/vulnerability reporting timelines | Overlays statutory reporting onto the 30111 handling flow |
| FIRST PSIRT Services Framework | PSIRT capability model | Provides the operating model implementing 30111 |
| CVE / CNA rules & CVSS | Identifier assignment and scoring | Supply the identifiers and severity used in 29147 advisories |
| CSAF 2.0 / VEX | Machine-readable advisories | Modern distribution format for 29147 advisory content |
Frequently asked questions
Need help with Vuln Disclosure?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
