What is Responsible Disclosure?

18. February 2020

The security analysts of usd HeroLab frequently discover previously unknown security vulnerabilities in products as part of their daily work. For these zero-day vulnerabilities, no security patches (corrective changes applied to the product to remedy security gaps) have been made or released yet. It is therefore essential to use any knowledge of such vulnerabilities responsibly to support manufacturers in finding timely solutions and close critical entry points for potential attackers.

usd AG has therefore designed a systematic, coordinated process for reporting vulnerabilities discovered in standard products to their manufacturers in a timely manner.

The goal of this process for “Responsible Disclosure” is to ensure together with the manufacturers that vulnerabilities are fixed quickly by releasing security patches that enable companies and end users to protect themselves. This responsible disclosure process is described below.

Initial contact

usd AG initially attempts to establish encrypted communication with the security team, IT operations or development team of the manufacturer. usd AG will attempt to contact the manufacturer multiple times via different communication channels.

Encrypted exchange of information

In order to communicate the results of our work securely to enable the manufacturer to reproduce and eliminate the vulnerability, a suitable method of secure, encrypted communication is agreed upon. usd AG provides different methods of encryption for this purpose.

Supporting the manufacturer

Should the manufacturer face any uncertainties or have any questions regarding the remediation, usd HeroLab security analysts are happy to answer questions and provide, among other things, advice, technical instructions or videos.


In coordination with the manufacturer, usd AG publishes a description of the vulnerability and detailed technical information in the form of a security advisory on the usd HeroLab website after the vulnerability has been fixed. At the same time, readers are notified of the possibilities for remedying the vulnerability, for example through updates provided by the manufacturer.

In accordance with our mission “more security”, we feel obliged to both demand and support a prompt remedy. For this reason, we strive to release a security advisory after a maximum of 60 days from the initial contact with the manufacturer. We are aware that this time span can be a challenging deadline for many companies. In justified cases, we therefore deviate from this deadline and allow more time before we publish our advisory.

When publishing security vulnerabilities, usd always undertakes to act responsibly and in the interest of general security. We only deviate from our standard process – in particular regarding the deadline for publication – in cases in which a different procedure demonstrably reduces the risks of all affected parties.

Also interesting:

ERFA KRITIS  - Audits was a Guest at CST Academy 

ERFA KRITIS  - Audits was a Guest at CST Academy 

In recent years, the number of critical facilities requiring special protection and registered with the German Federal Office for Information Security (BSI) has risen steadily. With KRITIS Audits in accordance with § 8a BSIG (IT Security Act), operators of critical...

6 Reasons For a Security Audit

6 Reasons For a Security Audit

The number of cyberattacks on companies is constantly rising, and the threat level reached a record high last year (source: BSI). The consequences can be devastating. Nevertheless, many companies often hesitate to conduct Security Audits. A Security Audit can...

Hacker Contest At The TU Darmstadt Enters The Next Round

Hacker Contest At The TU Darmstadt Enters The Next Round

"The Hacker Contest is a valuable component of our mission. Because giving students a hands-on understanding of the importance of penetration testing for IT security is more important than ever. " emphasizes Tobias Hamann, Senior Consultant IT Security at usd HeroLab....