Vulnerability Disclosure

How we Handle and Publish Security Issues

Keypoints

This is how we handle a Vulnerability Disclosure

  • Co-ordination with our client to define the most efficient approach
  • Contact the vendor and share information to assess and mitigate the issue
  • Establish a 90 days deadline to minimize the window of opportunity for malicious attackers
  • Disclosure of the issue on the appropriate channels to reach out to the defensive community

Finding vulnerabilities to establish countermeasures is essential for a secure and safe world. We at scip AG have to deal with security vulnerabilities on a daily basis. It is very common that our Red Team (offense) or Titanium Team (research) identifies new vulnerabilities and weaknesses within projects.

Since scip was founded back in 2002 we have worked with several organizations to successfully analyze, mitigate, and disclose vulnerabilities. This includes but is not limited to well-known and public companies like:

Microsoft ⋅ Apple ⋅ Cisco ⋅ IBM ⋅ Oracle ⋅ Mozilla ⋅ Sun ⋅ Novell ⋅ CheckPoint ⋅ Palo Alto ⋅ Trend Micro ⋅ Finjan ⋅ F5 ⋅ Dell ⋅ SonicWall ⋅ ASUS ⋅ D-Link ⋅ Netgear ⋅ Sony ⋅ Facebook ⋅ Dropbox ⋅ Skype ⋅ GE Healthcare ⋅ Fujifilm ⋅ Draeger ⋅ B. Braun ⋅ Daimler ⋅ Mercedes

The cyber security experience of our specialists ranges back to 1996. We see it as our professional and ethical obligation to practice Responsible Disclosure to improve security and safety:

This document describes our vulnerability disclosure policy and process. We follow a Best Practice approach that has been established in the cyber security industry and followed by other organizations for decades (e.g. ENISA Coordinated Vulnerability Disclosure Policies in the EU). We prefer a responsible and coordinated disclosure. If you are a vendor working with us on a vulnerability disclosure, steps 3 and 4 are the most important for you.

Our Vulnerability Disclosure Process

Vulnerability Disclosure Policy and Process

Step 1: Coordinating with our Client

If our teams at scip suspect or determine a security vulnerability or weakness within a customer project, we discuss the matter with our client and the legal teams to define an appropriate approach to handle the issue.

Step 2: Contacting the Vendor

We then inform the vendor as soon as possible via official mail addresses, web forms or even, if necessary, social media accounts. This initial contact will contain basic information about the finding which helps the vendor to assess and address the issue. As we share vulnerability information with vendors on a voluntary basis, we are not willing to invest time in proprietary forms or submitting issues on a telephone hotline.

If the vendor needs more information we are willing to share all the data we have compiled during our testing (e.g. screenshots, stack traces, packet capturing). Just contact us with the web form or via email if there is something unclear. We encourage secure and encrypted communication with PGP, S/MIME or via our secure transfer server. Additional technical verification and research might require a monetary compensation which will be negotiated beforehand.

If a vendor demands additional information about our customer (e.g. customer name, product serial number) we are asking our customer first if we are allowed to share such details. If the customer does not want to share personal information we keep up the desired and legally expected level of customer relationship confidentiality. This shall have no impact on the vulnerability disclosure process as we report vendor- or product-specific vulnerabilities and not customer-specific issues.

If our specialists report multiple issues in the same submission, each issue will have an unique ID. Please refer to this ID during communication to prevent any confusion. As soon as there is a CVE assigned the issues might be referred to this identifier instead.

We expect cooperation from vendors. They shall respond with a formal confirmation of our reporting, a technical confirmation of the reported issue, and a declaration and timeline of the next steps regarding countermeasures and disclosure. Involving lawyers and announcing legal actions does not affect our vulnerability disclosure process in any way.

All communication is protected and kept confidential until public disclosure. The copyright of the vulnerability finding and exploitability details remains with scip AG all the time (Copyright Act CopA, SR 231.1). This right will be enforced worldwide. The exclusive jurisdiction and venue of any action with respect to the subject matter are the courts residing in Zürich, Switzerland.

Step 3: Establishing 90 Days Deadline

There is a 90 days deadline starting on the moment we contact the vendor (step 2). Once this deadline passes, the issue is disclosed to the defensive community (step 4). This deadline might change if one of the following happens:

We reserve the right to move the deadline as necessary in unexpected or extreme circumstances.

Step 4: Disclosing the Issue

As soon as the deadline has passed (step 3), the vulnerability will be disclosed publicly or semi-publicly. Approaching external channels is the task of scip, whereas some releases are handled directly without an intermediate partner. The disclosure will happen on the appropriate platforms which usually include but are not limited to:

Output Channel Responsible Mode Link
Advisory and/or Countermeasure Vendor Vendor indirect
CVE and NVD Entry MITRE or other CNA MITRE/CNA indirect MITRE, VulDB CNA
Alert, Advisory, or Report Authorities (if necessary, e.g. ICS-CERT, FDA) Authorities indirect
Database Entry Vulnerability Databases Database Vendors indirect VulDB
Posting Security Mailing Lists scip AG direct Full-Disclosure
News scip Web Site scip AG direct Web Site
Article scip Blog (optional) scip AG direct Labs, smSS
Post/Tweet Social Media (e.g. Twitter, Facebook) scip AG direct Twitter, Facebook

The primary goal is to reach the defensive community and customers as quickly and professionally as possible. Under certain circumstances this might even make full disclosure necessary.

We never sell vulnerabilities nor exploits, and we also never participate in shady exploit markets.

Level of Professionalism

scip AG is commited to treat all vendors, manufacturers, partners, and customers equally. We provide the highest level of professionalism to help to defend against malicious exploitation and abuse of security issues. We expect the same level of cooperative professionalism from vendors, manufacturers, partners, and customers alike.

We are working together to bring the industry, community, and society another step forward. A non disclosure, hiding vulnerabilities and not talking about risks helps the wrong people. Security is our business.

(last edit: June 16, 2022)

Questions about this topic?

Our experts will get in contact with you!