NIST 800-53 REV 5 • RISK ASSESSMENT

RA-5(11)Public Disclosure Program

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

The reporting channel is publicly discoverable and contains clear language authorizing good-faith research and the disclosure of vulnerabilities to the organization. The organization does not condition its authorization on an expectation of indefinite non-disclosure to the public by the reporting entity but may request a specific time period to properly remediate the vulnerability.

Practitioner Notes

A public disclosure program (like a bug bounty or vulnerability disclosure policy) gives outside security researchers a way to report vulnerabilities they find in your systems. This turns the wider security community into an extension of your team.

Example 1: Publish a Vulnerability Disclosure Policy (VDP) on your website at /.well-known/security.txt following the ISO 29147 standard. State what systems are in scope, how to report findings securely, and commit to no legal action against good-faith reporters.

Example 2: If your organization is mature enough, launch a bug bounty program through a platform like HackerOne or Bugcrowd. Define clear scope, severity-based payouts, and response SLAs. Even a modest program (starting at $100 per valid finding) can surface vulnerabilities your internal team missed.

More Risk Assessment Controls

RA-1 Policy and Procedures RA-2 Security Categorization RA-2(1) Impact-level Prioritization RA-3 Risk Assessment