W3C publishes draft policy for reporting security vulnerabilities in standards
The W3C Security Interest Group has published a draft process for reporting and handling suspected security vulnerabilities in W3C standards and specifications.
The World Wide Web Consortium’s Security Interest Group has published the first draft of a Group Note on how suspected security vulnerabilities in W3C standards should be reported and handled.
The document, titled W3C Standards Vulnerability Disclosure & Handling Process and Policy, was published on 30 June 2026.
The draft applies to W3C technical reports, including standards, specifications, notes and registries. It is intended for cases where a security issue may arise from the design or content of a W3C specification itself.
It does not apply to vulnerabilities in software products, open-source implementations, services or W3C operational infrastructure. Those issues remain the responsibility of the relevant vendor, maintainer or W3C systems process.
The draft creates a clearer route for researchers and others to report suspected vulnerabilities in W3C standards. Reports should be sent to a dedicated W3C email address for coordinated disclosure. The document also recommends that reports include the affected specification, a concise description of the issue, steps to reproduce it, its possible impact and any proposed mitigation.
W3C says reported issues will be acknowledged within three business days. It will then aim to verify the validity of the issue and inform the reporter within 15 working days.
The handling process depends on the maturity of the document affected. For completed W3C Recommendations, a vulnerability may be addressed through an erratum, an updated Recommendation or a new document. For Candidate Recommendations and Working Drafts, the issue may be handled through the relevant Working Group process. For early editor’s drafts or Community Group reports, the issue is expected to be discussed with the relevant editors or group.
The draft also addresses public disclosure. Once a fix or update is available, and after enough time has been allowed for related technologies to implement changes, W3C encourages public disclosure of resolved vulnerabilities. Disclosure may be delayed where publication would create greater security risks than benefits.
The policy follows coordinated vulnerability disclosure principles and refers to ISO/IEC 29147 and ISO/IEC 30111, which cover vulnerability disclosure and vulnerability handling.
As a Group Note Draft, the document is still work in progress. It is not endorsed by W3C or its members and may be changed, replaced or withdrawn. The Security Interest Group is inviting feedback through GitHub.
