CISA Vulnerability Disclosure Policy

CISA will attempt to coordinate all reported cyber vulnerabilities with the affected vendor of industrial control systems or information technology products.

An appropriate timeframe for mitigation development and the type and schedule of disclosure will be determined based on the factors involved. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to an established standard may result in earlier or later disclosure. Other factors include

  • whether the vulnerability has already been publicly disclosed
  • the severity of the vulnerability
  • potential impact to critical infrastructure
  • possible threat to public health and safety
  • immediate mitigations available
  • vendor responsiveness and feasibility for creating an upgrade or patch
  • vendor estimate of time required for customers to obtain, test and apply the patch

The name and contact information of the vulnerability reporter will be forwarded to the affected vendors unless otherwise requested by the vulnerability reporter. CISA will advise the vulnerability reporter of significant changes in the status of any vulnerability reported to the extent possible without revealing information provided in confidence by the vendor.

Affected vendors will be apprised of any publication plans, and alternate publication schedules will be negotiated with affected vendors as required.

In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for remediation, CISA may disclose vulnerabilities as early as 45 days after the initial attempt to contact the vendor is made, regardless of the existence or availability of patches or workarounds from affected vendors.

It is the goal of this policy to balance the need of the system owners and operators to be informed of potential risk associated with security vulnerabilities with the vendors' need for time to respond effectively. The final determination of the type and schedule of publication will be based on the best interests of the community overall.

CISA vulnerability remediation process involves five basic steps:

  1. Detection/Collection — CISA collects vulnerability reports in three ways: CISA vulnerability analysis, monitoring public sources of vulnerability information, and direct notification of vulnerabilities to CISA. After receiving a report, CISA does an initial surface analysis to eliminate duplicates and false alarms. CISA then catalogs the vulnerabilities, including all of the information (public and private) that is known at that point.
  2. Analysis — Once the vulnerabilities are catalogued, vendor and CISA analysts work to understand the vulnerabilities by examining and identifying the issues, as well as the potential threat.
  3. Mitigation Coordination — after analyzing a vulnerability, CISA will continue to work with the vendor for development of mitigation and issuance of patches or new versions. CISA has established secure and trusted relationships with vendors to facilitate vulnerability disclosure and overall technology assessment and testing functions. CISA will work with vendors to allow sufficient time to effectively resolve and perform patch regression testing against any given vulnerability. Additionally, CISA has experience successfully coordinating responses to vulnerabilities that affects multi-vendor products.
  4. Application of Mitigation — CISA works with the vendor to facilitate sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to public disclosure when possible.
  5. Disclosure — after coordinating with vendors and gathering technical and threat information, CISA will take appropriate steps to notify end users about the vulnerability via multiple channels. CISA strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation for asset owners and operators. CISA will reference available related information and correct misinformation when possible.

To report an ICS Vulnerability, please email or call 1-888-282-0870. When sending sensitive information to the CISA via email, we encourage you to encrypt your messages.

Download the CISA ICS public key.

To report an IT Vulnerability, please click HERE