Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Recommendations for Federal Vulnerability Disclosure Guidelines



Kim B. Schaffer, Peter Mell, Hung Trinh, Isabel Van Wyk


Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce known security vulnerabilities. This document recommends guidance for establishing a federal vulnerability disclosure framework, properly handling vulnerability reports, and communicating the mitigation and/or remediation of vulnerabilities. The framework allows for local resolution support while providing federal oversight and should be applied to all software, hardware, and digital services under federal control.
Special Publication (NIST SP) - 800-216
Report Number


advisory, Federal Coordination Body, findings report, source vulnerability report, vulnerability communication, Vulnerability Disclosure, Vulnerability Disclosure Policy, Vulnerability Disclosure Program Office, vulnerability processing, vulnerability tracking.


Schaffer, K. , Mell, P. , Trinh, H. and Van Wyk, I. (2023), Recommendations for Federal Vulnerability Disclosure Guidelines, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online],, (Accessed July 21, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created May 24, 2023