No Security Language in Software Support or Software Development Contracts

[pjtrainor]

What I have seen in multiple instances are companies or entitles have purchased specialized software or have software development contracts but there is no security related language in these contracts. The end results are there is no forcing function to ensure vendors, developers and suppliers of software or hardware products 1. Inform their customers there are security related flaws or vulnerabilities, 2. provide patches, fixes etc... to fix any vulnerabilities associated with this software or hardware in a timely manner if at all, or 3. Provide support related to the vulnerabilities, misconfiguration, or poorly written code or reuse of code in their products.

This can or should be done through contracts but what I find is there is no repository of language companies or entities can use or should be using in these contracts. If we are going to fix this "supply chain risk" from within the government or otherwise there should be a repository of language published or provided as a reference or template to be used as security contract language.