cc2-3 High priority Security / Communication and Information

Security information is communicated to external parties

Customers, regulators, and other external parties need relevant security information to make decisions about working with you. This includes your security commitments in contracts and terms of service, how you notify customers of incidents that affect them, how you handle vulnerability disclosures from external researchers, and how you communicate with regulators. Failure to communicate externally when required creates legal and reputational risk.

8h estimated effort

communication external disclosure transparency breach-notification

Complete first: cc2-2

Implementation steps

1

Publish a security or trust page

Create a public-facing page (a trust center or security page) that describes your security practices, certifications, and commitments. This is increasingly expected by enterprise buyers and reduces repetitive questionnaire work. Include: certifications held, key controls summary, data handling practices, and contact for security questions.

vanta drata secureframe notion webflow
2

Define and publish a vulnerability disclosure policy

Document how external security researchers can report vulnerabilities to you and what they can expect in return. A responsible disclosure or bug bounty policy tells researchers you welcome reports and reduces the chance of public disclosure before you can fix an issue. Publish it at a standard location (security.txt or your website).

hackerone bugcrowd google-forms
3

Establish a customer breach notification process

Document the process for notifying customers if a security incident affects their data. Define: who approves notifications, what the notification must contain, what the timeline is (typically 72 hours for GDPR-covered entities), and what communication channel is used. Test the process before you need it.

statuspage pagerduty email