Unknown Vulnerabilities – Responsibilities of the Finder

18. February 2020

The security analysts of usd HeroLab frequently discover previously unknown security vulnerabilities in products as part of their daily work. For these zero-day vulnerabilities, no security patches (corrective changes applied to the product to remedy security gaps) have been made or released yet. It is therefore essential to use any knowledge of such vulnerabilities responsibly to support manufacturers in finding timely solutions and close critical entry points for potential attackers.

usd AG has therefore designed a systematic, coordinated process for reporting vulnerabilities discovered in standard products to their manufacturers in a timely manner.

The goal of this process for “Responsible Disclosure” is to ensure together with the manufacturers that vulnerabilities are fixed quickly by releasing security patches that enable companies and end users to protect themselves. This responsible disclosure process is described below.Initial contact

usd AG initially attempts to establish encrypted communication with the security team, IT operations or development team of the manufacturer. usd AG will attempt to contact the manufacturer multiple times via different communication channels.Encrypted exchange of information

In order to communicate the results of our work securely to enable the manufacturer to reproduce and eliminate the vulnerability, a suitable method of secure, encrypted communication is agreed upon. usd AG provides different methods of encryption for this purpose.Supporting the manufacturer

Should the manufacturer face any uncertainties or have any questions regarding the remediation, usd HeroLab security analysts are happy to answer questions and provide, among other things, advice, technical instructions or videos.Publication

In coordination with the manufacturer, usd AG publishes a description of the vulnerability and detailed technical information in the form of a security advisory on the usd HeroLab website after the vulnerability has been fixed. At the same time, readers are notified of the possibilities for remedying the vulnerability, for example through updates provided by the manufacturer.

In accordance with our mission “more security”, we feel obliged to both demand and support a prompt remedy. For this reason, we strive to release a security advisory after a maximum of 60 days from the initial contact with the manufacturer. We are aware that this time span can be a challenging deadline for many companies. In justified cases, we therefore deviate from this deadline and allow more time before we publish our advisory.

When publishing security vulnerabilities, usd always undertakes to act responsibly and in the interest of general security. We only deviate from our standard process – in particular regarding the deadline for publication – in cases in which a different procedure demonstrably reduces the risks of all affected parties.

Also interesting:

Security Advisories for Apache Tomcat

Security Advisories for Apache Tomcat

The analysts at usd HeroLab examined the popular Open Source Web Server Apache Tomcat as part of their security analyses. Two vulnerabilities were identified, which made it possible to obtain restricted write permissions and to perform XML External Entity Injection...