What is the vulnerability disclosure workflow under NIST SP 800-218 SSDF?
Handle vulnerability disclosure with a simple workflow: provide a clear reporting path, receive and triage the report, confirm whether the issue is credible, assign an owner for investigation and response, track remediation or other risk response, and communicate the outcome to the right stakeholders.
The useful answer is not just whether vulnerability disclosure is mentioned. It should explain what action is required, which source supports it, who owns it, and what evidence proves the current state.
In practice, teams should make it easy for security researchers, customers, suppliers, and internal staff to report possible vulnerabilities, then use a defined triage flow to decide whether the report is valid, how urgent it is, and whether the next step is a fix, a mitigation, or a disclosure response.
- Define the vulnerability disclosure scope and source-linked trigger before assigning the work.
- Create evidence that proves the vulnerability disclosure decision for the specific product, service, supplier, control, certificate profile, or implementation context.
- Set a change trigger so the answer is reviewed after material source, product, supplier, platform, audit, or process changes.
NIST SP 800-218 supports this vulnerability-disclosure guidance by tying vulnerability reporting, triage, remediation, and evidence records to secure software development practices.
Primary NIST source for the integrated security and privacy control catalog.
Primary NIST source for cybersecurity supply chain risk management practices.