You are here

Multistakeholder Process: Cybersecurity Vulnerabilities

Date: 
December 15, 2016

This web page provides details on the NTIA-convened multistakeholder process concerning collaboration between security researchers and software and system developers and owners to address security vulnerability disclosure.

Stakeholder documents

On December 15, 2016, stakeholder participants released a set of initial findings, recommendations and resources. NTIA will continue to work with stakeholders on further developments and outreach.

Upcoming meeting

Further activity for this multistakeholder process will be announced in early 2017.

Past Meetings

November 7, 2016 in Washington, D.C.

These draft documents were written by stakeholder working groups. These are not final documents, and are intended for discussion.

April 8, 2016 

December 2, 2015

September 29, 2015

Background:

On March 19, 2015, the National Telecommunications and Information Administration, working with the Department of Commerce’s Internet Policy Task Force (IPTF), issued a Request for Comment to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” Individuals and entities from across the commercial, academic, and civil society sectors filed comments. After reviewing these comments, NTIA announced that the first topic to be addressed would be collaboration on vulnerability research disclosure.

The goal of this process will be to develop a broad, shared understanding of the overlapping interests between security researchers and the vendors and owners of products discovered to be vulnerable, and to establish a consensus about voluntary principles to promote better collaboration.  The question of how vulnerabilities can and should be disclosed will be a critical part of the discussion, as will how vendors receive and respond to this information. However, disclosure is only one aspect of successful collaboration.

Additional Information:

The Federal Register Notice announcing the first meeting and providing further background and detail:

Deputy Assistant Secretary Angela Simpson’s blog post announcing the initiative on Enhancing the Digital Economy Through Collaboration on Vulnerability Research Disclosure.

March 19, 2015 Request for Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem

Stakeholder Comments on Stakeholder Engagement on Cybersecurity in the Digital Ecosystem

Department of Commerce Green Paper “Cybersecurity, Innovation, and the Internet Economy” (July, 2011)