Vulnerability handling and disclosure relating to products and online services are regarded as important parts of support from vendors. In this context, a vendor means an individual or organization that developed the product/service or those responsible for maintaining it. The guideline for vulnerability handling and disclosure is provided by ISO/IEC 29147 and 30111.
JPCERT/CC has been assisting vendors' vulnerability handling as a coordinator and disclosing vulnerabilities on Japan Vulnerability Notes (JVN) under the Japanese domestic framework "Information Security Early Warning Partnership" since 2004. Internationally, JPCERT/CC also coordinates vulnerability handling in cooperation with CSIRTs in other countries as well as reporters that directly report vulnerabilities to JPCERT/CC.
The documents in this page explain how vendors should conduct vulnerability handling and how JPCERT/CC will coordinate their efforts.
|2018-03-30||JPCERT/CC Vulnerability Coordination and Disclosure Policy||207KB(PGP)|
|2017-06-06||Guidelines for Information Security Early Warning Partnership (Summary)||233KB(PGP)|
|2009-07-08||Vulnerability Disclosure Guideline for Software Developers||293KB(PGP)|