Vulnerabilities identified in software are publicly disclosed (where appropriate to do so) by software developers in a timely manner.
Topic
Reporting and resolving vulnerabilities
Applicable to
Non Classified, Official, Protected, Secret, Top Secret
History
Mar 2025
Vulnerabilities identified in software are publicly disclosed (where appropriate to do so) by software developers in a timely manner.
A number of existing controls were reworded for clarity without changing their intent.
Dec 2023
Vulnerabilities identified in applications are publicly disclosed (where appropriate to do so) by software developers in a timely manner.
A new control recommending vulnerabilities identified in applications be publicly disclosed (where appropriate to do so) by software developers in a timely manner was added.