[DL.SCM.7] Standardize vulnerability disclosure processes

Category: RECOMMENDED

A standard vulnerability disclosure policy helps ensure consistent reporting and handling of potential vulnerabilities, which in turn enhances the security of the software development lifecycle. Implementing standardized vulnerability disclosure practices is recommended for optimizing DevOps, as it promotes security, helps manage risk effectively, and encourages the responsible reporting and handling of discovered vulnerabilities.

A method for implementation is provided in RFC 9116, A File Format to Aid in Security Vulnerability Disclosure (Foudil, Shafranovich, & Nightwatch Cybersecurity, 2022). This guidance provides a standardized process for vulnerability disclosure using a machine readable security.txt file, which contains contact details and the vulnerability disclosure policy. This file is to be placed in the /.well-known/ path of a domain name or IP address to enable security researchers to find the right information to report vulnerabilities they discover easily.

Related information:

RFC 9116 - A File Format to Aid in Security Vulnerability Disclosure

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

[DL.SCM.6] Maintain informative repository documentation

[DL.SCM.8] Use a versioning specification to manage software components