Unknown Vulnerabilities – Responsibilities of the Finder

18. February 2020

The security analysts of usd HeroLab frequently discover previously unknown security vulnerabilities in products as part of their daily work. For these zero-day vulnerabilities, no security patches (corrective changes applied to the product to remedy security gaps) have been made or released yet. It is therefore essential to use any knowledge of such vulnerabilities responsibly to support manufacturers in finding timely solutions and close critical entry points for potential attackers.

usd AG has therefore designed a systematic, coordinated process for reporting vulnerabilities discovered in standard products to their manufacturers in a timely manner.

The goal of this process for “Responsible Disclosure” is to ensure together with the manufacturers that vulnerabilities are fixed quickly by releasing security patches that enable companies and end users to protect themselves. This responsible disclosure process is described below.Initial contact

usd AG initially attempts to establish encrypted communication with the security team, IT operations or development team of the manufacturer. usd AG will attempt to contact the manufacturer multiple times via different communication channels.Encrypted exchange of information

In order to communicate the results of our work securely to enable the manufacturer to reproduce and eliminate the vulnerability, a suitable method of secure, encrypted communication is agreed upon. usd AG provides different methods of encryption for this purpose.Supporting the manufacturer

Should the manufacturer face any uncertainties or have any questions regarding the remediation, usd HeroLab security analysts are happy to answer questions and provide, among other things, advice, technical instructions or videos.Publication

In coordination with the manufacturer, usd AG publishes a description of the vulnerability and detailed technical information in the form of a security advisory on the usd HeroLab website after the vulnerability has been fixed. At the same time, readers are notified of the possibilities for remedying the vulnerability, for example through updates provided by the manufacturer.

In accordance with our mission “more security”, we feel obliged to both demand and support a prompt remedy. For this reason, we strive to release a security advisory after a maximum of 60 days from the initial contact with the manufacturer. We are aware that this time span can be a challenging deadline for many companies. In justified cases, we therefore deviate from this deadline and allow more time before we publish our advisory.

When publishing security vulnerabilities, usd always undertakes to act responsibly and in the interest of general security. We only deviate from our standard process – in particular regarding the deadline for publication – in cases in which a different procedure demonstrably reduces the risks of all affected parties.

Also interesting:

usd PCI Best Practice Workshop 2021

usd PCI Best Practice Workshop 2021

For many years, the usd PCI Best Practice Workshop has brought together responsible PCI personnel from companies of all sizes and from all industries to discuss current topics from the world of payment card industry together with PCI experts from usd. The interactive...

Security Advisory 09/2021

Security Advisory 09/2021

The usd HeroLabs pentesters have identified vulnerabilites in the products of the manufacturers Matrix42 and Themeco while conducting their security analyses. Specifically, this is a Stored Cross-Site Scripting and a Symlink vulnerability. The disclosure of...

3 Reasons for a Cloud Security Audit

3 Reasons for a Cloud Security Audit

Outsourcing applications and data to the cloud brings significant benefits for companies, but at the same time also new challenges for the corresponding IT departments. The technologies and processes of a cloud environment differ from those of local data centers....

Categories

Categories