Jennifer Martin, Ashden Fein and Weiss Nusraty write:
Last week, the U.S. Department of Justice (“DOJ”) released a voluntary frameworkfor organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments. This framework provides private entities a series of steps to establish a formal program that balances the need to enhance organizations’ cybersecurity with potential legal risks associated with identifying, testing, and disclosing vulnerabilities. While the framework does not prescribe specific requirements, it does provide guidance that an organization should consider whether it is developing a new disclosure program or already has an established program. The framework also appears consistent with previous U.S. Government guidance on vulnerability disclosure — such as the policy or guidance published by the U.S. Department of Defense, General Services Administration 18F Office, and National Telecommunications & Information Administration.
Read more on Covington & Burling Inside Privacy.