An official website of the United States government
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | July 15, 2026

NSA joins CISA and Others in Releasing the Cybersecurity Information Sheet “Establishing a Coordinated Vulnerability Disclosure Program to Work with Security Researchers”

FORT MEADE, Md. (July 16, 2026) — The National Security Agency (NSA), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), and Netherlands National Cyber Security Centre (NCSC-NL), released the Cybersecurity Information Sheet, “Establishing a Coordinated Vulnerability Disclosure Program to Work with Security Researchers.”

Establishing and maintaining a robust coordinated vulnerability disclosure (CVD) program aligned with the best practices detailed in this guide is essential for any supplier committed to safeguarding the security and trust of its customers. A well-structured CVD program, whether managed internally or through an intermediary, creates a clear framework for engaging security researchers, fostering collaboration, and ensuring vulnerabilities are identified and addressed effectively.

This report provides key recommendations, such as creating and publishing a vulnerability disclosure policy (VDP), being public and inclusive with reporting vulnerabilities, and setting a broad scope for security testing.

A robust CVD program enhances product security and demonstrates a supplier's commitment to protecting customers. By working transparently with researchers, suppliers can build constructive relationships, improve vulnerability management processes, and make informed decisions to better assess and mitigate risks.

The guidance also highlights the role of intermediaries, such as third-party coordinators and national computer security incident response teams, in substituting or supplementing a supplier's CVD program. These intermediaries can streamline communication, promptly respond to vulnerabilities, and ensure responsible disclosure.

As the cyber landscape continues to evolve, the best practices for CVD programs should be adapted to address emerging challenges and technologies. Suppliers are strongly encouraged to review and update their CVD programs regularly to ensure they align with the latest guidance and industry standards.

Additional Resources

 
 

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721



About the National Security Agency

Founded in 1952, NSA is a U.S. Department of War combat support agency and element of the U.S. Intelligence Community. The Agency’s mission is to provide foreign signals intelligence to policy makers and our military, and to prevent and eradicate cybersecurity threats to U.S. National Security Systems, with a focus on the Defense Industrial Base and the improvement of U.S. weapons’ security. From protecting U.S. warfighters around the world to enabling and supporting operations on land, in the air, at sea, in space, and in the cyber domain, NSA is committed to building public trust through transparency and protecting civil liberties and privacy consistent with our nation’s values.

###