← Back to catalog
RA-5(11)

Public Disclosure Program

Risk Assessment (RA)
Baselines
Low · IncludedModerate · IncludedHigh · Included
Description

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

Discussion

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

Implementation guidance

No content available.

CSF 2.0 crosswalk

No CSF mappings exist for this control.