The FTC released public comments yesterday on the National Telecommunications and Information Administration’s (NTIA) draft “Early Stage” Coordinated Vulnerability Disclosure Template released in December 2016. The draft template was released by the NTIA Safety Working Group as part of a multistakeholder process that convened security researchers and software and system developers and owners to address security vulnerability disclosure.
The FTC’s comments highlighted the importance of coordinated vulnerability disclosure efforts, stating that “companies should communicate and coordinate with the security research community as part of a continuous process of detecting and remediating software vulnerabilities,” and cited its prior enforcement actions and Staff guidance on the subject. The FTC encouraged transparency in vulnerability reporting by both researchers and companies, and promoted the model vulnerability disclosure policy language in the draft template as “a useful asset for companies seeking to draft a public-facing vulnerability disclosure policy that helps forge common expectations with researchers regarding vulnerability handling timelines and processes.”
In the comments and accompanying press release, the FTC emphasized that while the current draft template is directed toward companies in “safety-critical industries,” such as automotive and medical device companies, the template could be a useful tool for “any company providing software-based products and services to consumers.” As such, the Staff recommended that the introduction to the draft template be revised to clarify the broader applicability of the recommendations, particularly to companies that “provide Internet-connected products or collect sensitive consumer information.”