Two new ISO standards relating to vulnerability handling and disclosure are expected to be introduced before the end of the year.
ISO 30111 will provide guidelines for the handling of vulnerability discovery. The standard will make recommendations as to whether an exploit is reported to an internal or external source. It will also cover processes for investigating and resolving vulnerabilities.
The introduction of this compliance standard aims to improve the speed and efficiency of vulnerability detection and resolution.
The second ISO standard expected in late 2013 is ISO 29147, which will address how vulnerabilities are disclosed. It will provide guidelines on the exposure of vulnerabilities to various different parties from users and researchers through to hackers. The initial requirement in order to comply with this standard is to implement a designated team or person in which those affected can make contact with.
ISO 29147 aims to improve the ease of reporting and in hand the speed and quality of the resolution.