Responsible disclosure: responsible handling of security vulnerabilities

Mistakes are human - this also applies to software development. A simple transposed number or an overlooked special case in the code can have far-reaching consequences, such as security gaps that attackers could exploit. Closing such gaps requires a structured and efficient approach. This is exactly where the concept of a responsible disclosure process comes in. At CERTAINITY, we see responsible disclosure as an important contribution to the IT community in order to create a secure and resilient society against cyber attacks.

What does Responsible Disclosure mean?

Responsible disclosure stands for the responsible handling of the publication of security vulnerabilities. This means that security researchers first report discovered vulnerabilities to the affected companies or manufacturers before publishing the information. This ensures that the vulnerabilities can be fixed before attackers exploit them. Nevertheless, the final publication of the vulnerability after it has been fixed is a key element in promoting transparency and informing users in a targeted manner. This makes it easier for users to find out about security problems and gives them clear instructions on how to protect their systems, for example through updates or configuration adjustments.

Our approach at CERTAINITY

At CERTAINITY, vulnerabilities found in the software of our direct customers are covered by a non-disclosure agreement (NDA), i.e. the customer decides how much information they want to publish about the vulnerabilities found. However, only very few companies use software that they have developed themselves. If we discover vulnerabilities in third-party software during our engagements, our customers are often unable to fix these vulnerabilities themselves. In these cases, our Responsible Disclosure process comes into play:

Our Responsible Disclosure Policy forms the basis for the responsible handling of security vulnerabilities in third-party software. It gives the consultants at CERTAINITY clear guidelines on how they can safely report vulnerabilities and describes our internal process. The process steps of the policy can be summarized as follows:

1st Analysis: Our experts identify a vulnerability and assess its criticality. 2 Reporting/contacting: Information about the vulnerability and all the details necessary to trace it are sent to the manufacturer or the affected company. A deadline for rectification is agreed. CERTAINITY ensures that the manufacturer has sufficient time to make the necessary adjustments, while at the same time providing a prompt solution for the customer. 3 Remedy: Ideally, the manufacturer develops a suitable solution strategy within the agreed timeframe. Our consultants actively support this process and verify the developed solution to ensure that the vulnerability is successfully closed. 4 Publication: After successful remediation or expiry of the deadline, the vulnerability is published with the aim of informing the public and drawing attention to the security problem and the solution. For the vulnerability documentation (advisory), we choose a clearly structured format including software identifiers, version numbers, risk assessments, CVE numbers and a detailed timeline. This allows readers to quickly assess whether and to what extent they are affected.

With this approach, we create trust between all parties involved and help to close weak points in the long term.

Examples from practice

Over the years, we have reported and fixed several vulnerabilities via the Responsible Disclosure Process.Some highlights of our security advisories are:

• Multiple Vulnerabilities in Web Level Control (WLC) Application
• Clock Fault Injection on Mocor OS - Password Bypass](https://certainity.com/research/post15/)
• Multiple Vulnerabilities in NetModule Routers](https://certainity.com/research/post7/)

Challenges and best practices

Implementing responsible disclosure is not always easy. The most common challenges include:

• Communication: Companies are sometimes slow to respond to safety reports. In addition, the lack of specific security contacts makes it difficult to get in touch and delays the whole process.
• Understanding: Not all companies immediately understand why a reported vulnerability is critical or underestimate its criticality.
• Prioritization/costs**: The vendor or developer must proactively allocate resources to fix the vulnerability.

Our experience shows that transparency, a clear process and mutual respect are the keys to success. We recommend the following best practices:

• Clear documentation: A published policy for handling security solutions builds trust and provides guidance for all involved. Many organizations participate in bug bounty programs or follow the “security.txt” standard where security contacts are uniformly listed on the website at /.well-known/security.txt.
• Prompt communication**: Rapid feedback shows that security vulnerabilities are taken seriously. Here too, a public commitment to adhering to feedback deadlines through a policy is recommended.
• Cooperation**: Security researchers and manufacturers should work together on solutions. If required, CERTAINITY can also use its portfolio to provide in-depth support in improving the security level.

Conclusion

Companies that handle vulnerabilities in a transparent and structured manner not only strengthen the security of their own systems, but also the entire IT industry. A clear process is essential - especially in view of increasing software complexity, growing open source and framework dependencies and increasing regulatory requirements (e.g. NIS2, CRA).

Software manufacturers that focus on transparency, cooperation and clear processes at an early stage gain trust, reduce risks and strengthen their resilience. CERTAINITY is actively involved in this area - through targeted security research, structured responsible disclosure processes and close cooperation with manufacturers, security researchers and the IT community - for sustainable and resilient cybersecurity.