RA-5(11): Public Disclosure Program
Control Family:
Parent Control:
Baselines:
- Low
- Moderate
- High
Control is new to this version of the control set.
Control Statement
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.
Supplemental Guidance
The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.