JPCERT/CC Publishes "Vulnerability Coordination and Disclosure Policy"
JPCERT/CC has been coordinating and disclosing software vulnerabilities under the "Information Security Early Warning Partnership" since 2004. We have coordinated and disclosed over 1,500 vulnerabilities with developers as of the end of 2017. The "Information Security Early Warning Partnership" has a guideline that serves as a framework for how vulnerabilities are coordinated within Japan. An overview of the framework including how reported vulnerabilities are coordinated and disclosed is provided at the following:
Guidelines for Information Security Early Warning Partnership (Summary)
While the framework does not explicitly state "only reports from domestic reporters" will be coordinated, JPCERT/CC has mainly coordinated vulnerabilities discovered and reported by reporters in Japan through this framework.
Over the years, there have been vulnerability reports coordinated by JPCERT/CC in cooperation with overseas CSIRTs or directly reported by overseas reporters. As the number of such reports have increased, it became apparent to us that we needed an outward facing policy that states what vulnerability reports will be coordinated and how they will be coordinated. The main goal in publishing this policy is to set expectations on what vulnerability reports may or may not be coordinated to reporters of vulnerabilities to JPCERT/CC.
The policy states the point of contact at JPCERT/CC for vulnerability reports, what we require in a vulnerability report, what reports will be coordinated, what will be published, etc.
For details, refer to the policy that is on the JPCERT/CC website.
JPCERT/CC Vulnerability Coordination and Disclosure Policy
If you have any questions, please contact us at vultures [at] jpcert.or.jp.
- Taki Uchiyama
JPCERT/CC Member of Technical Committee