Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space pixs
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW
 for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - Responsible Vulnerability Disclosure and Coordination PolicyPrint
point

Responsible Vulnerability Disclosure and Coordination Policy

1.  Introduction

Responsible Vulnerability Disclosure and Coordination refers to the process of collection, analysis, mitigation coordination with researchers/finders and vendors leading to the public disclosure of newly identified cybersecurity vulnerabilities. The purpose of Responsible Vulnerability Disclosure and Coordination is to ensure that affected vendors/OEMs get sufficient time to remediate the vulnerability.

Indian Computer Emergency Response Team (CERT-In) collaborates with researchers, cybersecurity organizations, academic institutions, vendors/OEMs, and CERT's all over the world on handling of reported vulnerabilities. In this direction, CERT-In has formulated this Responsible Vulnerability Disclosure and Coordination Policy with an aim to strengthen trust in "Digital India", "Make in India" as well as to encourage responsible vulnerability research in the Country.

The policy outlines the process of vulnerability reporting to CERT-In and also provides details as to how the information provided to CERT-In will be handled and shared.

2.  Reporting vulnerabilities to CERT-In

Security vulnerabilities in any product can be sent to us via email at vulnerability CERT-In accepts PGP Encrypted emails and attachments. The details of the public key are hereunder:

Email ID:        vulnerability
Key ID:           0x3B4E082C
Key Type:        RSA
Expires Date:  2026-12-31
Key Size:        4096/4096
Fingerprint:     6927 2217 D8D4 0208 6B1C 23E9 CE29 EA67 3B4E 082C
Helpdesk:       +91-1800-11-4949 (Toll Free)
Fax:               +91-1800-11-6969

Acknowledgement will be sent within 72 working hours upon receipt of the vulnerability information by CERT-In.

Vulnerability Reporting Formpdf

3.  Details expected in vulnerability reports

In order to examine and validate the vulnerability, CERT-In will look forward to certain details as indicated below:

  • The product(s) affected
  • The exact software version or model affected;
  • Vendor details
  • Description of the vulnerability along with concise steps to reproduce the reported vulnerability along with supporting evidences such as:
    • Proof of concept (PoC) and/or
    • Code sample and/or
    • Crash reports and/or
    • Screenshots and Video recording etc.
  • The impact of exploiting the vulnerability

In addition to the above, preferably the following details also may be provided:

  • Other products or software versions likely to be affected
  • How the vulnerability was discovered
  • The tools used for discovering the vulnerability
  • Information on any known exploit
  • Time constraints with respect to going public about the issue (e.g. article, blog or conference etc.)
  • Whether the vulnerability has already been reported to the vendor / other agency or any plan to do so
  • Whether reporting party wants to remain anonymous during the coordination process
  • Whether reporting party wants mention in the vulnerability note / advisory

Following need to be ensured before reporting the issue:

  • The vulnerability must be reproducible on the latest available version or 'supported' version of the product
  • The vulnerability must not be previously known

4.  Coordination for resolution

CERT-In will examine and validate the vulnerability report and communicate to the discloser whether or not the report will be coordinated by CERT-In.Upon successful validation, CERT-In will initiate coordination with the relevant product vendor(s), discloser and other stakeholders (if required) for the remediation and closure of the issue.

CERT-In shall make all possible efforts to limit the disclosure to a bare minimum. However situations may arise where assistance from trusted third parties may be required in which case CERT-In will be sharing a subset or all the vulnerability information, as the case may be, with the trusted third parties.

CERT-In will also release vulnerability note/advisory on its website after the vulnerability is addressed or at an appropriate time as determined by CERT-In in synchronisation with the stakeholders involved during the coordination effort.

5.  Timelines

CERT-In will endeavour to get the issue resolved within 120 days from initial vendor contact date.

This timeframe could change if the vulnerability is:

    • Being actively exploited
    • Reported by multiple sources to CERT-In or the affected vendor/ developer
    • Considered to be exceptionally serious (such as threatening public safety) or
    • On agreement between the discloser, CERT-In and the affected vendor/developer.

It may be noted that situations may arise where the issue is not resolved within 120 days, e.g. due to disagreement between vendor and discloser, non-response from vendor etc. CERT-In may consider to close the issue in such cases with intimation to the discloser or make the vulnerability public and stop the coordination effort with the vendor.

6.  Credits and Rewards

CERT-In appreciates the work of the vulnerability researcher(s) and is willing to give due credit for discovering the issue by mentioning the same on vulnerability note / advisory to be published on CERT-In website for the issue.

In addition, if the vendor(s) affected by the vulnerability desires to reward the discloser in some way, CERT-In will be willing to connect them with the discloser. CERT-In will limit its role to mere introducing the discloser with the vendor and will not partake in any discussion related to the reward whatsoever.

7.  Disclaimer

CERT-In will make all attempts to expedite the vulnerability resolution, however no fixed deadlines can be assigned due to involvement of wide range of vendor(s), their issue handling processes, cooperation and priorities as well as uncertainties surrounding the complexity of solution which are well beyond the control of CERT-In. CERT-In will attempt to balance the interest of all stakeholders involved during the coordination effort.

This policy is subjected to IT Act 2000 and 2008 (Amendment). The reporting party must ensure to comply with all the extant laws and regulations while discovering the vulnerabilities. Reporting a vulnerability to CERT-In does not imply being exempt from compliance. Discloser shall be responsible for any action performed by her / him for discovering the vulnerability whatsoever.

"Install genuine and updated software
to strengthen your online safety and security"

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On February 22, 2025