What is Responsible Disclosure?

18. February 2020

The security analysts of usd HeroLab frequently discover previously unknown security vulnerabilities in products as part of their daily work. For these zero-day vulnerabilities, no security patches (corrective changes applied to the product to remedy security gaps) have been made or released yet. It is therefore essential to use any knowledge of such vulnerabilities responsibly to support manufacturers in finding timely solutions and close critical entry points for potential attackers.

usd AG has therefore designed a systematic, coordinated process for reporting vulnerabilities discovered in standard products to their manufacturers in a timely manner.

The goal of this process for “Responsible Disclosure” is to ensure together with the manufacturers that vulnerabilities are fixed quickly by releasing security patches that enable companies and end users to protect themselves. This responsible disclosure process is described below.

Initial contact

usd AG initially attempts to establish encrypted communication with the security team, IT operations or development team of the manufacturer. usd AG will attempt to contact the manufacturer multiple times via different communication channels.

Encrypted exchange of information

In order to communicate the results of our work securely to enable the manufacturer to reproduce and eliminate the vulnerability, a suitable method of secure, encrypted communication is agreed upon. usd AG provides different methods of encryption for this purpose.

Supporting the manufacturer

Should the manufacturer face any uncertainties or have any questions regarding the remediation, usd HeroLab security analysts are happy to answer questions and provide, among other things, advice, technical instructions or videos.

Publication

In coordination with the manufacturer, usd AG publishes a description of the vulnerability and detailed technical information in the form of a security advisory on the usd HeroLab website after the vulnerability has been fixed. At the same time, readers are notified of the possibilities for remedying the vulnerability, for example through updates provided by the manufacturer.

In accordance with our mission “more security”, we feel obliged to both demand and support a prompt remedy. For this reason, we strive to release a security advisory after a maximum of 60 days from the initial contact with the manufacturer. We are aware that this time span can be a challenging deadline for many companies. In justified cases, we therefore deviate from this deadline and allow more time before we publish our advisory.

When publishing security vulnerabilities, usd always undertakes to act responsibly and in the interest of general security. We only deviate from our standard process – in particular regarding the deadline for publication – in cases in which a different procedure demonstrably reduces the risks of all affected parties.

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories