The Department of Justice (DOJ) Criminal Division Cybersecurity Unit has developed a framework to assist organizations interested in creating a formal vulnerability disclosure program.
An abstract from the DOJ Framework:
“An increasing number of organizations in the public and private sectors are adopting vulnerability disclosure programs to improve their ability to detect security issues on their networks that could lead to the compromise of sensitive data and the disruption of services. Some organizations are informally soliciting vulnerability reports without creating structured vulnerability disclosure programs. Others, however, are creating formalized vulnerability disclosure programs that include published policies describing the manner in which they will accept information about security vulnerabilities and how they may disclose vulnerability reports to affected parties and/or the public. Such policies may also outline authorized methods that may be used to discover vulnerabilities in an organization’s information systems, services, and products…The Criminal Division’s Cybersecurity Unit has prepared this framework to assist organizations interested in instituting a formal vulnerability disclosure program.”