After release, suppliers need a repeatable pathway to receive, triage, assess, fix and disclose
security-related issues for products configured to use their defence-in-depth strategy within the
documented product security context.
DM requirement summaries
DM-1: Receiving notifications of security-related issues
Clause: 10.2
Summary
Provide a clear channel to receive and track security issues to closure from internal and
external sources — including SVV testers, third-party component suppliers, developers/testers
and product users (integrators, asset owners and maintainers). Make reporting instructions easy
to find.
DM-2: Reviewing security-related issues
Clause: 10.3
Summary
Investigate reported issues promptly enough for the market: confirm they apply to the product,
can be verified, and understand which threats trigger them. Unsubstantiated or out-of-scope
reports should be filtered here.
DM-3: Assessing security-related issues
Clause: 10.4
Summary
Analyse impact against the discovery context, the product’s security context and its
defence-in-depth strategy; score severity (for example with CVSS); identify other
affected products/versions; and find root causes and related issues.
DM-4: Addressing security-related issues
Clause: 10.5
Summary
Decide and execute how each accepted issue will be handled — for example a security update,
configuration/guidance change, compensating control, or justified deferred fix — and track
that decision through to completion via the supplier’s lifecycle processes.
DM-5: Disclosing security-related issues
Clause: 10.6
Summary
Inform affected users appropriately about security-related issues and available remediations,
balanced with responsible disclosure practice so attackers are not handed a free window before
fixes exist.
DM-6: Periodic review of security defect management practice
Clause: 10.7
Summary
At least annually, review how security issues were managed since the last review — was the
process complete, efficient, and did each issue reach resolution? Use findings for continuous
improvement.