Vulnerabilities in software can pose serious risks to users and organizations. A clear and effective process for handling and disclosing security vulnerabilities maintains user trust and protects systems.
This guide provides actionable recommendations for GCVE GNA, software developers, open source project maintainers, vendors, and organizations to manage vulnerability reports from discovery to resolution and public disclosure. It is organized into key stages of a vulnerability’s life-cycle, including:
preparation and receipt of a report,
investigation and remediation,
communication and coordinated disclosure.
Overall, the guide establishes a transparent process that encourages responsible reporting and safeguards users.
Draft published at
This topic is discuss further or comment on BCP-02.
We’re pleased to announce the publication of GCVE-BCP-02 – Practical Guide to Vulnerability Handling and Disclosure, now available in its version 1.3.
This Best Current Practice document provides actionable guidance for organisations, researchers, and GCVE Numbering Authorities (GNAs) on managing and disclosing vulnerabilities effectively, both within the GCVE ecosystem and beyond.
Read it here: (HTML)
Read it here: (PDF)
Thank you to everyone contributing to the improvement and adoption of vulnerability handling and disclosure practice!
Read it here: (HTML)