NSA/CSS - National Security Agency - Central Security Service

07/15/2026 | Press release | Distributed by Public on 07/16/2026 05:40

NSA joins CISA and Others in Releasing the Cybersecurity Information Sheet “Establishing a Coordinated Vulnerability Disclosure Program to Work with Security Researchers”

FORT MEADE, Md. (July 16, 2026) - The National Security Agency (NSA), in partnership with the Cybersecurity and Infrastructure Security Agency (CISA), Japan Computer Emergency Response Team Coordination Center (JPCERT/CC), and Netherlands National Cyber Security Centre (NCSC-NL), released the Cybersecurity Information Sheet, "Establishing a Coordinated Vulnerability Disclosure Program to Work with Security Researchers."

Establishing and maintaining a robust coordinated vulnerability disclosure (CVD) program aligned with the best practices detailed in this guide is essential for any supplier committed to safeguarding the security and trust of its customers. A well-structured CVD program, whether managed internally or through an intermediary, creates a clear framework for engaging security researchers, fostering collaboration, and ensuring vulnerabilities are identified and addressed effectively.

This report provides key recommendations, such as creating and publishing a vulnerability disclosure policy (VDP), being public and inclusive with reporting vulnerabilities, and setting a broad scope for security testing.

A robust CVD program enhances product security and demonstrates a supplier's commitment to protecting customers. By working transparently with researchers, suppliers can build constructive relationships, improve vulnerability management processes, and make informed decisions to better assess and mitigate risks.

The guidance also highlights the role of intermediaries, such as third-party coordinators and national computer security incident response teams, in substituting or supplementing a supplier's CVD program. These intermediaries can streamline communication, promptly respond to vulnerabilities, and ensure responsible disclosure.

As the cyber landscape continues to evolve, the best practices for CVD programs should be adapted to address emerging challenges and technologies. Suppliers are strongly encouraged to review and update their CVD programs regularly to ensure they align with the latest guidance and industry standards.

Additional Resources

NSA Media Relations [email protected] 443-634-0721


About the National Security Agency

Founded in 1952, NSA is a U.S. Department of War combat support agency and element of the U.S. Intelligence Community. The Agency's mission is to provide foreign signals intelligence to policy makers and our military, and to prevent and eradicate cybersecurity threats to U.S. National Security Systems, with a focus on the Defense Industrial Base and the improvement of U.S. weapons' security. From protecting U.S. warfighters around the world to enabling and supporting operations on land, in the air, at sea, in space, and in the cyber domain, NSA is committed to building public trust through transparency and protecting civil liberties and privacy consistent with our nation's values.

###

NSA/CSS - National Security Agency - Central Security Service published this content on July 15, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on July 16, 2026 at 11:40 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]