This page gives the disclosure policy applied by Cert-IST when Cert-IST is aware of a new security vulnerability. This policy has been defined on the principles defined in a proposal made to the IETF in 2002 (see the IETF RFC draft mentioned below). Cert-IST pays close attention to the on-going standardization efforts in this area and particularly to the ISO/IEC 29147 effort.
To report a security vulnerability to Cert-IST, please refer to the Contact section which gives you the details to contact us (email and phone) as well as the means (PGP and S-MIME) to use to send us any confidential data
Cert-IST vulnerability disclosure policy
This policy is meant to advertise the rules followed by Cert-IST regarding vulnerability disclosure. It aims specifically at ensuring security for Cert-IST constituency and at enabling Vendors to develop solutions quickly for their security problems.
Cert-IST is committed to provide assistance, within its capabilities, to facilitate the dialogue between a Reporter (who discovered a new security vulnerability) and the Vendor of the solution affected by this vulnerability . The primary role of the Cert-IST is consequently to be a Coordinator, as defined in the RFC proposal « Responsible Vulnerability Disclosure Process » given below. It may sometimes also act as Reporter. If resource constraints make Cert-IST unable to provide this coordination service, then it will inform the impacted parties and direct them to alternative solutions.
Cert-IST respects the process described in the Draft "Responsible Vulnerability Disclosure Process". Its first role (according to this draft) is the one of Coordinator (entity which works with the Vendor and the Reporter to analyse a vulnerability). Cert-IST may sometimes play the role of Reporter (entity which informs the Vendor of a new vulnerability).
Cert-IST undertakes to respect a grace period which is generally of 30 days before publishing its advisories. Thus during the discovery process of a new vulnerability, Cert-IST notifies the Vendor, making known to him the information that will be published, should no response be supplied at the end of the grace period. If the threat importance requires to shorten this delay, the various actors (specifically the Vendor) are informed. This grace period only concerns new vulnerabilities, which means vulnerabilities that have not already been published in a public forum (open mailing lists, public Web sites, etc...).
During the Vendor notification period, Cert-IST undertakes to provide all necessary information to enable the Vendor to qualify the vulnerability : problem description, tested versions, code used and all technical information useful for the problem comprehension. The notification is generally made by email and the notification date is recorded.
Nevertheless, in case of big security risks, Cert-IST reserves the right to publish the information before or beyond the grace period; the decision to publish or not an advisory will always take into account the interests in terms of security of the various actors. Whenever possible, Cert-IST will propose a workaround to allow the users to protect themselves against the vulnerability exploitation.