It is the policy of the company to exercise the responsible disclosure of security vulnerabilities in a manner that is of maximum value to all affected parties.
It is our intention to meet a number of key objectives during the disclosure process, as follows:
- To ensure the company’s clients are provided with the greatest level of protection against the vulnerabilities in their systems
- To maintain an effective line of communication with the software vendor in order to ensure that appropriate fixes can be produced in a timely manner
- To provide the users of vulnerable software with the opportunity to apply appropriate fixes before the details of the issue are made public
- To release details of the vulnerability through appropriate channels so that the information can be distributed to interested parties within the ICS/SCADA industry
- To provide accurate information about the vulnerability to enable security professionals to determine the vulnerability of systems they are assessing.
Advisory Production and Disclosure Process
A period of analysis and further research will initially be conducted upon the discovery of any previously-unpublished security vulnerability. An advisory will subsequently be produced that documents the type of issue and its causes. The advisory will also include details of any proof of concept exploit and an immediate workaround in order to mitigate the risk that the issue exposes.
Once the advisory has been produced, it will initially be released to the vendor of the affected product or software. However, if the vulnerability is discovered during a penetration test being conducted against one of our clients, it will be disclosed to them in the first instance in order to ensure that they receive the highest level of service with regards to the reduction of business risk.
Each of our clients is subject to a Non-Disclosure Agreement, ensuring that the information cannot be redistributed without our express permission.
We will endeavour to use communication channels documented by the vendor for security issues. If a security contact has been provided then this will be used in the first instance, otherwise communication will be attempted by email or telephone to the most appropriate resource.
- The ICS-CERT will be notified with a high level summary of the vulnerability, if confirmation is not received back from the vendor within two weeks
- The full vulnerability details will be published to our current clients, if no response to the vendor communications has been received within four weeks of the initial contact
- The vulnerability information will be released into the public domain through a number of appropriate channels a minimum of two weeks after disclosure to our clients and following no response from the vendor.
It is hoped that a communication channel will be established with the vendor within two weeks of our initial attempts to contact them. Using this channel, it is expected that the vendor will inform us about their intended fix for the issue and will establish a timeline for the publication of patches and updates for the vendor’s customers. We will endeavour to work with any vendor to ensure that the entire disclosure process is in line with their planned timelines.
A date for publishing the advisory to our clients and subsequently to the public will also be agreed at this juncture. However, if the communication channel is not maintained by the vendor, we retain the right to alter the timescales for publication accordingly, based on the level of service expected by their clients.
This disclosure policy is documented to ensure that all parties involved in the process are aware of its aims and objectives. Each discovered vulnerability will be different and it is expected that the disclosure process can be conducted in a manner that provides the greatest level of assurance to all affected parties. Where deviations to this process are required they will be conducted in a manner that is in line with the objectives set out above.