Date: 19 September 2012
Click here for printable version
AusCERT Vulnerability Disclosure Policy
This policy outlines how AusCERT will handle the disclosure of new information about computer software or hardware vulnerabilities that have been reported to AusCERT and which are not yet in the public domain.
What is responsible disclosure?
The responsible disclosure process is intended to balance the need to inform the community about computer security vulnerabilities and threats, against the risk of knowledge of the vulnerability becoming available to malicious parties prior to a remediation becoming available. Under a responsible disclosure policy, a security vulnerability in a computer product or service is reported to the vendors/software developers of the affected product/service, prior to the formal public disclosure of the vulnerability to allow the vendor/software developers time to prepare a response (eg a patch, mitigation or advisory) that is in the best interests of the community.
In the event that a vendor/software developer has not yet corrected the vulnerability within the 45 day period, under a responsible disclosure policy, the information about the vulnerability will be disclosed so that affected organisations/users of the computer software or product may themselves be aware of the problem and take mitigation action, if possible. This is considered beneficial in case an attacker has knowledge of the vulnerability and would be freely able to exploit it.
As part of its role, AusCERT receives information about security vulnerabilities in computer hardware and software, closed or open source. These reports of vulnerability are received from a variety of public and private sources, or may be discovered by AusCERT. AusCERT, in its mission to disseminate information to its constituency, has a duty to responsibly disclose them.
AusCERT reserves the right to publish on its web site any reported vulnerability no later than 45 days after AusCERT notifies the affected vendor/software developer, even if a security patch or mitigation is unavailable.
Vendors, and affected software developers will be notified about the vulnerability (if the reporter has not already done so) as soon as possible, and be given the opportunity to confirm the vulnerability; develop a patch to correct the vulnerability, and invited to actively participate in the drafting of the vulnerability disclosure advice within the same 45 day period.
Unless otherwise requested by the reporter, AusCERT will advise the vendor/software developer of the name and contact details of the reporter, and provide credit to the reporter who discovered the vulnerability in any formal advice published.
Publication may occur sooner, either with or without the involvement of the vendor/software developer if, for example:
- knowledge of the vulnerability becomes public via other sources and there is a serious risk of exploitation, or
- exploitation of the vulnerability appears to be occurring, or highly probable, eg due to the existence of proof-of-concept exploitation code.
AusCERT will publish vulnerability information in the form of AusCERT External Security Bulletins (ESB), AusCERT Security Bulletins (ASB) and/or by other, more informal channels, such as blogs or Twitter.
Will AusCERT publish every instance of vulnerability it becomes aware of?
Where possible, AusCERT will assess the reliability of the information and the risk users of the affected software/product face, ie severity of the harm if the vulnerability is exploited and the ease with which the vulnerability can be exploited, in determining whether to publish or not.
Why 45 days?
AusCERT has adopted the CERT/CC’s timeline as an appropriate time period for responsible disclosure. This is regarded as a reasonable period of time for a vendor/software developer to assess the information about the vulnerability and prepare an appropriate response.
AusCERT gratefully acknowledges the contribution CERT/CC has made to responsible vulnerability disclosure for many years. This policy shares many of the principles and goals of that policy.
Publishing a responsible disclosure policy is desirable to help manage the expectations of:
- the users/organisations that rely on computer emergency response teams and/or vendors to notify them about computer security vulnerabilities in order to mitigate the harm to their systems and data,
- vulnerability researchers who need to understand whether their research will be taken seriously by those who can help facilitate responsible disclosure; and
- vendors/software developers who need to understand that publication of vulnerabilities will occur within specific timeframes and hence they should endeavour to work in a responsible way to mitigate the vulnerability before disclosure occurs.
- AusCERT Vision and Mission Statement http://www.auscert.org.au/1936
- ASBs are AusCERT member only content. After 30 days, the access restrictions to this content is removed and the information becomes fully public.
- CERT/CC Vulnerability Disclosure Policy http://www.cert.org/kb/vul_disclosure.html