Please consider voting on this important matter at this link, by adding a "thumbs up" icon in response; https://github.com/ossf/tac/issues/530#issuecomment-3427196473
NOTE: The NAESB approved WEQ 2026 Annual plan has an action item to work on vulnerability disclosure reporting to assist energy companies with FERC Order 912
"Consider and develop business practice standards for cybersecurity vulnerability disclosures, such as software supply chain risks, including those to support industry implementation of FERC Order No. 912 in Docket Nos. RM24-4-000 and RM20-19-000
Status: Not Started"
Many product manufacturers, i.e. Cisco and Palo Alto Networks, already provide their customers with proprietary Vulnerability Disclosure Reports (VDR) today. This proposal aims to create a standard, machine readable VDR format following NIST standards that manufacturers agree to create and make available to consumers to implement automatic, continuous risk monitoring of their cyber ecosystem.
Having a machine readable standard format for product Vulnerability Disclosure Reports (VDR) provided directly from product manufacturers will enable consumers to automate cyber risk management detection and continuous risk monitoring for products running in a production cyber ecosystems enabling a rapid risk response to close the window of opportunity that cyber criminals exploit today;
Having a broadly accepted industry standard Vulnerability Disclosure Report that enable continuous cyber risk monitoring would address several of the findings in FERC's 2025 NERC CIP lessons learned audit findings, which enable Volt Typhoon to carry our successful attacks against Grid operators; https://www.ferc.gov/news-events/news/ferc-staff-report-offers-lessons-learned-2025-cip-audits