Responsible Vulnerability Disclosure and Coordination refers to the process of collection, analysis, mitigation coordination with researchers/finders and vendors leading to the public disclosure of newly identified cybersecurity vulnerabilities. The purpose of Responsible Vulnerability Disclosure and Coordination is to ensure that affected vendors/OEMs get sufficient time to remediate the vulnerability.
Indian Computer Emergency Response Team (CERT-In) collaborates with researchers, cybersecurity organizations, academic institutions, vendors/OEMs, and CERT's all over the world on handling of reported vulnerabilities. In this direction, CERT-In has formulated this Responsible Vulnerability Disclosure and Coordination Policy with an aim to strengthen trust in "Digital India", "Make in India" as well as to encourage responsible vulnerability research in the Country.
The policy outlines the process of vulnerability reporting to CERT-In and also provides details as to how the information provided to CERT-In will be handled and shared.
2. Reporting vulnerabilities to CERT-In
Security vulnerabilities in any product can be sent to us via email at CERT-In accepts PGP Encrypted emails and attachments. The details of the public key are hereunder:
Key ID: 0x3B4E082C
Key Type: RSA
Expires Date: 2024-12-31
Key Size: 4096/4096
Fingerprint: 6927 2217 D8D4 0208 6B1C 23E9 CE29 EA67 3B4E 082C
Helpdesk: +91-1800-11-4949 (Toll Free)
Acknowledgement will be sent within 72 working hours upon receipt of the vulnerability information by CERT-In.
3. Details expected in vulnerability reports
In order to examine and validate the vulnerability, CERT-In will look forward to certain details as indicated below:
- The product(s) affected
- The exact software version or model affected;
- Vendor details
- Description of the vulnerability along with concise steps to reproduce the reported vulnerability along with supporting evidences such as:
- Proof of concept (PoC) and/or
- Code sample and/or
- Crash reports and/or
- Screenshots and Video recording etc.
- The impact of exploiting the vulnerability
In addition to the above, preferably the following details also may be provided:
- Other products or software versions likely to be affected
- How the vulnerability was discovered
- The tools used for discovering the vulnerability
- Information on any known exploit
- Time constraints with respect to going public about the issue (e.g. article, blog or conference etc.)
- Whether the vulnerability has already been reported to the vendor / other agency or any plan to do so
- Whether reporting party wants to remain anonymous during the coordination process
- Whether reporting party wants mention in the vulnerability note / advisory
Following need to be ensured before reporting the issue:
- The vulnerability must be reproducible on the latest available version or 'supported' version of the product
- The vulnerability must not be previously known
4. Coordination for resolution
CERT-In will examine and validate the vulnerability report and communicate to the discloser whether or not the report will be coordinated by CERT-In.Upon successful validation, CERT-In will initiate coordination with the relevant product vendor(s), discloser and other stakeholders (if required) for the remediation and closure of the issue.
CERT-In shall make all possible efforts to limit the disclosure to a bare minimum. However situations may arise where assistance from trusted third parties may be required in which case CERT-In will be sharing a subset or all the vulnerability information, as the case may be, with the trusted third parties.
CERT-In will also release vulnerability note/advisory on its website after the vulnerability is addressed or at an appropriate time as determined by CERT-In in synchronisation with the stakeholders involved during the coordination effort.
CERT-In will endeavour to get the issue resolved within 120 days from initial vendor contact date.
This timeframe could change if the vulnerability is:
- Being actively exploited
- Reported by multiple sources to CERT-In or the affected vendor/ developer
- Considered to be exceptionally serious (such as threatening public safety) or
- On agreement between the discloser, CERT-In and the affected vendor/developer.
It may be noted that situations may arise where the issue is not resolved within 120 days, e.g. due to disagreement between vendor and discloser, non-response from vendor etc. CERT-In may consider to close the issue in such cases with intimation to the discloser or make the vulnerability public and stop the coordination effort with the vendor.
6. Credits and Rewards
CERT-In appreciates the work of the vulnerability researcher(s) and is willing to give due credit for discovering the issue by mentioning the same on vulnerability note / advisory to be published on CERT-In website for the issue.
In addition, if the vendor(s) affected by the vulnerability desires to reward the discloser in some way, CERT-In will be willing to connect them with the discloser. CERT-In will limit its role to mere introducing the discloser with the vendor and will not partake in any discussion related to the reward whatsoever.
CERT-In will make all attempts to expedite the vulnerability resolution, however no fixed deadlines can be assigned due to involvement of wide range of vendor(s), their issue handling processes, cooperation and priorities as well as uncertainties surrounding the complexity of solution which are well beyond the control of CERT-In. CERT-In will attempt to balance the interest of all stakeholders involved during the coordination effort.
This policy is subjected to IT Act 2000 and 2008 (Amendment). The reporting party must ensure to comply with all the extant laws and regulations while discovering the vulnerabilities. Reporting a vulnerability to CERT-In does not imply being exempt from compliance. Discloser shall be responsible for any action performed by her / him for discovering the vulnerability whatsoever.
"Install genuine and updated software
to strengthen your online safety and security"