NIST framework update talks may offer a needed spotlight on vulnerability disclosure

New discussions around addressing cyber vulnerability disclosure within the federal framework of cybersecurity standards could give the issue much-needed visibility and offer a boost to a Commerce Department-led, public-private effort to promote guidelines for disclosing vulnerabilities in software and devices, even as challenges around liability and patching remain.

Last week’s National Institute of Standards and Technology’s workshop on draft updates to the cybersecurity framework spurred extensive discussions on vulnerability disclosure policies, which establish a process for IT vendors to handle...