The North American Energy Standards Board (NAESB.ORG) continues to discuss procurement contract language aimed at improving the timeliness of reporting product vulnerabilities that could lead to exploitation in critical infrastructure businesses enabling parties to take mitigating actions to prevent exploitation. The latest draft framing document covering the topics that need to be addressed in any future procurement contract language is available here.
The goal of this effort is to provide critical infrastructure operators with an "early warning signal, along with mitigating steps when a new exploitable vulnerability is confirmed by a product manufacturer/software supplier enabling a critical infrastructure operator to mitigate the cyber risk in their environments and close the window of opportunity that cyber criminals exploit when a new vulnerability is confirmed". This timely reporting of exploitable vulnerabilities in products has become a "mission critical function" now that AI Tools are capable of exploiting vulnerabilities autonomously and new vulnerabilities are being reported at over 130 per day in 2026. During the last meeting on April 30, I demonstrated how one open source project, called curl, may serve as a role model for how to communicate product vulnerability disclosure reports (VDR) to consumers giving them the ability to answer the question: "Is my curl release affected by any known vulnerabilities as of right now?" Think of this as akin to a CARFAX report, but for cyber products.
The next meeting will occur on May 21. All are welcome to participate in this NAESB ANSI SDO work effort, you do not have to be a NAESB member to participate in this initiative. All NAESB decisions on standards development work are based on consensus.