CISA and NSA Publish Playbook for Working With Outside Bug Hunters
New joint guidance urges software makers and online services to set up formal channels for security researchers, with clear rules, CVE assignments, and the option to lean on national response teams.

Key points
- CISA, the NSA and international partners released joint guidance for software makers on running a Coordinated Vulnerability Disclosure programme, a formal way for outside researchers to report security flaws safely.
- The guidance tells companies to publish a written Vulnerability Disclosure Policy explaining how researchers can report bugs without fear of legal trouble.
- It recommends assigning CVE identifiers, the unique tracking numbers used worldwide to catalogue security flaws, to every confirmed vulnerability.
- Smaller vendors are told they can hand the process to a third party such as a national Computer Security Incident Response Team instead of building one in-house.
- The document frames disclosure programmes as a customer protection measure, not a public relations exercise.
The US Cybersecurity and Infrastructure Security Agency, the National Security Agency and a group of overseas partners have published joint advice telling software companies how to work properly with the outside researchers who find flaws in their products.
The document, released through CISA Cybersecurity Advisories, is aimed squarely at vendors and online service providers who still do not have a formal way for a stranger to report a bug.
It lays out what a Coordinated Vulnerability Disclosure programme, known as CVD, should look like in practice.
What is coordinated vulnerability disclosure, in plain English?
It is a written agreement between a company and the wider security community about how to report and fix security flaws.
A researcher, sometimes a hobbyist, sometimes a professional, finds a weakness in a product. Without a disclosure programme, they have two bad choices: stay quiet, or post the details publicly and hope the vendor notices.
A CVD programme gives them a third option. They send the details privately to the company. The company confirms the bug, fixes it, credits the researcher, and issues a public advisory once users can protect themselves.
The new guidance says every programme needs a clear Vulnerability Disclosure Policy, a public-facing document that spells out what researchers are allowed to test, how to submit findings, and a promise the company will not sue them for reporting in good faith.
What does the guidance actually require?
Several concrete things.
Companies should triage incoming reports quickly, meaning they read them, confirm whether the bug is real, and rank how serious it is. They should remediate, in plain terms fix the flaw and ship an update to customers.
They should also assign a CVE identifier to each confirmed vulnerability. CVE stands for Common Vulnerabilities and Exposures, and the identifier is the tracking number, in the format CVE-YYYY-NNNNN, that lets defenders around the world talk about the same bug without confusion.
And companies are told to communicate. With the researcher, with customers, and with the wider industry.
What if a company cannot run its own programme?
The advisory acknowledges that not every business has the staff for this.
Small vendors, hardware makers with lean security teams, and operators of niche online services are told they can bring in a third-party intermediary. That might be CISA itself, or a national CSIRT, the Computer Security Incident Response Team run by many governments to coordinate on cyber issues.
Those bodies can receive reports on the company's behalf, verify them, and pass them along.
Why does this matter to ordinary customers?
Because the alternative is worse.
When a company has no disclosure programme, researchers often go public with unpatched bugs out of frustration. Criminals read those posts too. A working CVD process shortens the window between a flaw being found and a fix landing on your phone or laptop.
The guidance is not a regulation. It carries no fines. But it sets an expectation, and regulators in the US, UK and Australia have been watching vendor behaviour on this closely for several years.
For software companies without a disclosure page, the message is direct: publish one, staff it, and stop treating outside researchers as a nuisance.



