Hello. I guess that the people here are all newbies to ISO/IEC 27001. I guess you refer to the 2022 version. What is "8.28"? What means "Supported"? Reporting a vulnerability is the same as reporting anything, could you propose a more complete text? Could you provide a guide about what ISO/IEC 27001 2022 requires from a software? (Web site or book). Thank you.

Hello,
The ISO standard requires vulnerability management, which means that external libraries must have a way to report vulnerabilities.

In this case, that means that if we introduce Security.md, there will be an overview of all fixed vulnerabilities

Before proposing anything, we need some reference documentation about the exact requirements defined in ISO/IEC 27001. The access to these standards is not free if I understand well.
I have access to a few books talking about ISO/IEC 27001.

Here's an excerpt from the book "ISO 27001 Controls: A Guide to Implementing and Auditing", Second Edition, Publisher: IT Governance © 2024, By: Bridget Kenyon, I can't paste all due to the Copyright, but I can see in the book that if we want to support ISO/IEC 27001, it's not only providing a point of contact and a list of vulnerability fixes, but also a whole security process to adopt, and should be audited to be compliant with ISO/IEC 27001 too:

8.25 Secure development life cycle (ISO/IEC 27001, A.8.25)

Implementation guidance

Where software, services, networks or whole environments are being developed, the organisation should consider the information security of these environments to prevent the deliberate or accidental inclusion of inappropriate functionality (or of vulnerabilities) [...]

A policy should be implemented to ensure that development is carried out to standards that are suitable to the organisation’s risk profile. ISO/IEC 27002, 8.25 contains a checklist of what should be in the secure development policy; the list summarises measures that are covered in more detail in other controls in the Standard.

Auditing guidance

The auditor should look for evidence of secure coding or other relevant standards in the development environment, and ask to see documentation supporting a consistent and suitable approach to the identification and resolution of vulnerabilities. Developers should have training and competence in secure practices, which can usually be ascertained via interview. [...] Also see Clause 10.1 of ISO/IEC 27001.

I don't know ISO/IEC 27001, but maybe for now we can add the document you propose, and we'll see next if you need other compliance stuff.

Also adding here what ChatGPT says about "what are the detailed guidelines for third-party components indicated in the control 8.25 of ISO/IEC 27002:2022":

The detailed guidelines for managing third-party components under Control 8.25 "Secure Development" in ISO/IEC 27002:2022 focus on ensuring that the use of third-party software, libraries, and frameworks does not introduce security vulnerabilities into the development process. Here are the key guidelines:

1. Evaluation of Third-Party Components:
   • Assess the security of third-party components before integrating them into the development process.
   • Verify that third-party components come from reputable sources and have a good security track record.
   • Review the security features and vulnerabilities of third-party components.
2. Approval Process:
   • Establish an approval process for the use of third-party components.
   • Ensure that only approved components are used in the development process.
3. Security Requirements:
   • Define security requirements for third-party components.
   • Ensure that third-party components meet the organization's security requirements.
4. Version Control and Updates:
   • Keep third-party components up to date with the latest security patches and updates.
   • Monitor for new vulnerabilities in third-party components and apply patches promptly.
5. Licensing and Legal Compliance:
   • Ensure that the use of third-party components complies with licensing agreements and legal requirements.
   • Verify that the use of third-party components does not violate intellectual property rights.
6. Monitoring and Review:
   • Continuously monitor the security of third-party components.
   • Conduct regular reviews and assessments of third-party components to identify and mitigate security risks.
7. Documentation and Inventory:
   • Maintain an inventory of all third-party components used in the development process.
   • Document the security assessments, approvals, and updates for third-party components.
8. Risk Management:
   • Identify and manage risks associated with the use of third-party components.
   • Implement mitigation measures to address identified risks.
     These guidelines help organizations ensure that the use of third-party components does not compromise the security of their information systems and applications. For a comprehensive understanding, it is recommended to refer directly to the ISO/IEC 27002:2022 standard document.

so because of these two points we need the security.md
Verify that third-party components come from reputable sources and have a good security track record.
Review the security features and vulnerabilities of third-party components.

Security issues can be checked and made available via these points. In addition to the watch security alerts