本文件向供应商提供了有关产品和服务漏洞披露的要求和建议。漏洞披露使用户能够按照ISO/IEC 27002:2013，12.6.1[1]的规定执行技术漏洞管理。漏洞披露有助于用户保护其系统和数据，优先考虑防御性投资，并更好地评估风险。漏洞披露的目标是降低利用漏洞的风险。当多个供应商受到影响时，协调漏洞披露尤为重要。本文件提供: --关于接收潜在漏洞报告的准则； --关于披露漏洞补救信息的准则； --特定于漏洞披露的术语和定义； --漏洞披露概念概述； --漏洞披露的技术和政策考虑； --技术、政策（附件A）和通信（附件B）的例子。 ISO/IEC 30111中描述了在接收和披露漏洞报告之间发生的其他相关活动。 本文件适用于选择进行漏洞披露以降低供应商产品和服务用户风险的供应商。

This document provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. Vulnerability disclosure enables users to perform technical vulnerability management as specified in ISO/IEC 27002:2013, 12.6.1[1]. Vulnerability disclosure helps users protect their systems and data, prioritize defensive investments, and better assess risk. The goal of vulnerability disclosure is to reduce the risk associated with exploiting vulnerabilities. Coordinated vulnerability disclosure is especially important when multiple vendors are affected. This document provides: — guidelines on receiving reports about potential vulnerabilities; — guidelines on disclosing vulnerability remediation information; — terms and definitions that are specific to vulnerability disclosure; — an overview of vulnerability disclosure concepts; — techniques and policy considerations for vulnerability disclosure; — examples of techniques, policies (Annex A), and communications (Annex B). Other related activities that take place between receiving and disclosing vulnerability reports are described in ISO/IEC 30111. This document is applicable to vendors who choose to practice vulnerability disclosure to reduce risk to users of vendors' products and services.