KSI-PIY-RVD—Reviewing Vulnerability Disclosures
Formerly KSI-PIY-03
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express breach notification readiness through tested procedures — notification timeline SLAs validated against actual incident history, automated notification workflows triggered by breach classification, and regulatory reporting requirements tracked as a matrix per jurisdiction.
Privacy Breach Notification Procedures
How breach notifications are triggered and executed — including automated workflows and jurisdiction-specific timelines
Privacy Incident Response Plan
Plan for responding to privacy incidents — distinct from general security incidents with specific notification workflows
Breach Notification SLA
Human-readable breach notification SLA timelines (e.g., 72 hours per GDPR)
>Programmatic Queries
CLI Commands
gh api repos/{owner}/{repo}/security-advisories --jq '.[].{summary,severity,state,published_at}'gh api repos/{owner}/{repo}/dependabot/alerts --jq '[group_by(.security_advisory.severity)[] | {severity: .[0].security_advisory.severity, count: length}]'>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does your vulnerability disclosure program (VDP) cover all in-scope services and applications, or are some excluded from the program scope?
- •Is the VDP publicly accessible with clear instructions for researchers — including scope, rules of engagement, and safe harbor language?
- •How do you ensure the VDP addresses all vulnerability types — not just web application bugs but also infrastructure, API, and logic flaws?
- •Are there any channels through which vulnerability reports arrive outside the formal VDP (direct emails, social media), and how are those tracked?
Automation & Validation:
- •What automated workflow triages incoming vulnerability reports, assigns severity, and routes them to the appropriate remediation team?
- •How do you track response timeframes for each disclosure — time to acknowledge, time to validate, time to remediate — and what happens when SLAs are missed?
- •What automated deduplication identifies when multiple researchers report the same vulnerability?
- •How do you validate that a reported vulnerability has been effectively remediated before closing the disclosure?
Inventory & Integration:
- •What platform manages VDP submissions (HackerOne, Bugcrowd, custom portal), and how does it integrate with your vulnerability management and ticketing systems?
- •How do VDP findings feed into your broader vulnerability management program alongside scanner findings and internal testing results?
- •What secure communication channels are provided for researchers to submit sensitive vulnerability details?
- •How does the VDP integrate with your public security contact information (security.txt, CSAF provider metadata)?
Continuous Evidence & Schedules:
- •How frequently is VDP effectiveness reviewed, and what evidence demonstrates each review was completed?
- •Is VDP performance data (submission counts, response times, resolution rates) available via API or dashboard?
- •What evidence shows the VDP is actively used by researchers and that legitimate reports are received and resolved?
- •How do you demonstrate the program has improved over time based on effectiveness reviews — faster response times, higher resolution rates?
Update History
Ask AI
Configure your API key to use AI features.