Is there a process for handling and disclosing vulnerabilities (Art 21.2.e + coordinated disclosure)?
Demonstrate that the organization operates a documented, coordinated vulnerability disclosure process covering intake, triage, remediation, notification timelines, and communication with stakeholders including security researchers and NIS2 competent authorities.
Description
What this control does
This control ensures the organization has established a documented vulnerability handling and disclosure process aligned with coordinated disclosure principles, as required by NIS2 Article 21.2.e. The process defines how vulnerabilities discovered internally or reported externally are triaged, assessed, remediated, and disclosed to affected parties and authorities within appropriate timeframes. It includes communication protocols with security researchers, affected customers, national CSIRTs, and competent authorities, balancing transparency with operational security during the remediation period.
Control objective
What auditing this proves
Demonstrate that the organization operates a documented, coordinated vulnerability disclosure process covering intake, triage, remediation, notification timelines, and communication with stakeholders including security researchers and NIS2 competent authorities.
Associated risks
Risks this control addresses
- Uncoordinated public disclosure of vulnerabilities by external researchers before patches are available, leading to widespread exploitation
- Failure to notify NIS2 competent authorities within mandated disclosure timelines, resulting in regulatory penalties
- Delayed or absent remediation of reported vulnerabilities due to lack of formal triage and prioritization processes
- Reputational damage and loss of trust when vulnerabilities are discovered by attackers before being reported through proper channels
- Legal liability from inadequate disclosure to affected downstream customers or service consumers who remain vulnerable
- Exploitation of zero-day vulnerabilities by threat actors during extended remediation windows without interim mitigations
- Breakdown in communication with security research community leading to adversarial disclosure instead of collaborative remediation
Testing procedure
How an auditor verifies this control
- Request and review the documented vulnerability handling and disclosure policy, verifying it addresses intake channels, triage criteria, remediation SLAs, and coordinated disclosure timelines.
- Identify and interview personnel responsible for vulnerability intake, triage, remediation coordination, and external communications to confirm roles and responsibilities.
- Examine the vulnerability tracking system or register to verify it captures reporter details, severity ratings, remediation status, disclosure dates, and affected parties.
- Select a sample of 5-7 vulnerabilities reported in the past 12 months and trace each through intake, triage, assignment, remediation, and disclosure stages using tracking records and email archives.
- Review evidence of coordinated disclosure activities including communications with security researchers, notifications to competent authorities, and customer advisories for sampled vulnerabilities.
- Verify the existence and accessibility of a security.txt file, responsible disclosure contact point, or bug bounty program as the public-facing intake mechanism.
- Confirm that disclosure timelines align with NIS2 requirements, including early warning (24 hours for significant incidents), intermediate reports, and final reports with coordinated public disclosure.
- Test the vulnerability intake channel by simulating a researcher report or reviewing recent external submissions to validate acknowledgment, triage, and escalation occurred per documented procedures.