Unknown Vulnerabilities – Responsibilities of the Finder

18. February 2020

The security analysts of usd HeroLab frequently discover previously unknown security vulnerabilities in products as part of their daily work. For these zero-day vulnerabilities, no security patches (corrective changes applied to the product to remedy security gaps) have been made or released yet. It is therefore essential to use any knowledge of such vulnerabilities responsibly to support manufacturers in finding timely solutions and close critical entry points for potential attackers.

usd AG has therefore designed a systematic, coordinated process for reporting vulnerabilities discovered in standard products to their manufacturers in a timely manner.

The goal of this process for “Responsible Disclosure” is to ensure together with the manufacturers that vulnerabilities are fixed quickly by releasing security patches that enable companies and end users to protect themselves. This responsible disclosure process is described below.

Initial contact

usd AG initially attempts to establish encrypted communication with the security team, IT operations or development team of the manufacturer. usd AG will attempt to contact the manufacturer multiple times via different communication channels.

Encrypted exchange of information

In order to communicate the results of our work securely to enable the manufacturer to reproduce and eliminate the vulnerability, a suitable method of secure, encrypted communication is agreed upon. usd AG provides different methods of encryption for this purpose.

Supporting the manufacturer

Should the manufacturer face any uncertainties or have any questions regarding the remediation, usd HeroLab security analysts are happy to answer questions and provide, among other things, advice, technical instructions or videos.


In coordination with the manufacturer, usd AG publishes a description of the vulnerability and detailed technical information in the form of a security advisory on the usd HeroLab website after the vulnerability has been fixed. At the same time, readers are notified of the possibilities for remedying the vulnerability, for example through updates provided by the manufacturer.

In accordance with our mission “more security”, we feel obliged to both demand and support a prompt remedy. For this reason, we strive to release a security advisory after a maximum of 60 days from the initial contact with the manufacturer. We are aware that this time span can be a challenging deadline for many companies. In justified cases, we therefore deviate from this deadline and allow more time before we publish our advisory.

When publishing security vulnerabilities, usd always undertakes to act responsibly and in the interest of general security. We only deviate from our standard process – in particular regarding the deadline for publication – in cases in which a different procedure demonstrably reduces the risks of all affected parties.

Also interesting:

The Countdown is on: One Year until PCI DSS v4.0 Becomes Mandatory

The Countdown is on: One Year until PCI DSS v4.0 Becomes Mandatory

On March 31, 2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of PCI DSS - the most comprehensive update of the security standard for credit card data ever. Things are now getting serious for companies requiring certification: as of March 31,...

Security Advisories for NCP Secure Enterprise Client

Security Advisories for NCP Secure Enterprise Client

The usd HeroLabs analysts examined the VPN application NCP Secure Enterprise Client during their security analyses. Several high vulnerabilities and one critical vulnerability were identified. Among others, these allowed an attacker to gain unauthorized read access to...