IPA/ISEC：Vulnerabilities：Vulnerability Disclosure Guideline for Software Developers Released

In terms of quality and reliability assurance, it is important for software developers to provide secure products to their users, but even a product that has been developed through thorough security design could still have vulnerabilities.

If the software developers do not disclose information knowing their products have vulnerabilities and conceal the damage they may cause, or provide insufficient or even false information, it could put information assets or social activities of the users at risk. The software developers should voluntarily take necessary action as quickly as possible and offer accurate vulnerability information to the users.

This guideline aims to provide the users with the necessary vulnerability information appropriately through suggesting the software developers a desirable vulnerability disclosure policy and procedure. For example, it provides a list of information items that should be included in vulnerability information, some recommended and undesirable publication examples, and how to guide the users to vulnerability information on a web site. We hope that the guideline will help the software developers when they release vulnerability information.

The guideline is part of the Information Security Early Warning Partnership Guideline, which was been developed to promote the best practices for preventing virus and unauthorized access incidents through prompt and efficient vulnerability information distribution.

This document can be downloaded at:
http://www.ipa.go.jp/security/english/third.html

http://www.jpcert.or.jp/english/vh/guidelines.html

http://www.ipa.go.jp/security/ciadr/partnership_guide.html (in Japanese)

http://www.jpcert.or.jp/vh/index.html#link_japan (in Japanese)

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: