Blueprint: Coordinated Vulnerability Disclosure (CVD) Adoption for Information Sharing and Analysis Center (ISAC)-Like Groups

The electric vehicle supply equipment (EVSE) industry is an incredibly diverse set of participants (EVSE manufacturers, charge network operators (CNOs), original equipment manufacturers (OEMs), etc.), and with the potential for an Information Sharing and Analysis Centers (ISAC) or ISAC-like group, it requires a series of guidance for doing a multiparty coordinated vulnerability disclosure (CVD) such that a group like this could be successful. This blueprint provides a template and guidance to stakeholders in the EVSE industry for conducting a multiparty CVD. It also formalizes what multiparty CVD could look like in an ISAC-like group with multiple entities as well as vulnerability coordinators by specifically calling out who in the ISAC-like group may be involved, and which industry members it may apply to. This blueprint leverages tools such as Vultron, VINCE, etc. along with open resources such as the Software Engineering Institutes guide for coordinated vulnerability disclosure, for the stakeholder in the EVSE industry to start up a CVD program of their own.