Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Software Security in Supply Chains: Vulnerability Management

Vulnerabilities are discovered in a variety of sources. Developers of software may find security bugs in already-deployed code. Security researchers and penetration testers may find vulnerabilities by scanning or manually testing software and accessible systems. Effectively identifying, triaging, remediating, and reporting vulnerabilities is a central pillar of the EO. In its discussion of Zero Trust architecture, the EO recognizes that the discovery of vulnerabilities is inevitable, and federal agencies’ strategies should focus on how to manage those vulnerabilities efficiently and comprehensively.

Agencies should adhere to NIST’s existing Vulnerability Disclosure Program guidance in Draft NIST SP 800-216, Recommendations for Federal Vulnerability Disclosure Guidelines, which addresses reporting, coordinating, publishing, and receiving information about security vulnerabilities. They can also impose a range of recommended activities and capabilities from suppliers to enable more comprehensive and timely management of vulnerabilities.

Foundational Capabilities

Sustaining Capabilities

  • Adhere to a coordinated vulnerability disclosure (CVD) practice to ensure that federal departments and agencies are able to remediate vulnerabilities in a timely manner.[2]
  • Integrate SBOMs, vulnerability databases, and reporting mechanisms to ensure that federal departments and agencies rapidly receive notification of recently released vulnerabilities.

Enhancing Capabilities

  • Engage suppliers that staff defined product security incident response teams (PSIRT) and/or internal research teams dedicated to the identification, triage, and remediation of vulnerabilities across the supplier’s product/service suite in support of SSDF V1.1 Prepare the Organization (PO) and RV practices.[3]
  • Buy from suppliers that utilize a formal bug bounty program to incentivize the discovery and proactive remediation of vulnerabilities before adversaries are able to utilize them, where feasible and legally appropriate.

[1] GitLab. (2021). NIST Position Paper: Area #5.

[2] Carnegie Mellon University Software Engineering Institute. (2021). CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security (Questions 2-5)


Created May 3, 2022, Updated May 5, 2022