0-Day: Our Vulnerability Disclosure Guideline

Table of Contents


This document describes how we handle the discovery of a 0-day vulnerability. It is a rule and reference for such a security incident. This standard provides binding information on proper and safe processing by ProSec GmbH

Disclosure Specification

The following information must be included in the disclosure:

Vulnerability typespecifies which vulnerability type affects the finding.
Vulnerable versiondescribes the version associated with the vulnerability.
Vulnerable componentnames the susceptible devices of the vulnerability.
Report confidencehere you can find the detailed report of the vulnerability.
Fixed versionnames the repository version.
Vendor notificationexplains what the vendor responds about this vulnerability.
Solution datespecifies the resolution date of the vulnerability.
CVE referenceis an industry standard which aims to introduce a unified naming convention for vulnerabilities.
C.W.E.is a category system for software weaknesses and vulnerabilities.
CVSSv3 Calculatorshows the components of the Common Vulnerability Scoring System.
Researcher creditsnames the researcher who found the vulnerability
Vulnerability detailsdescribes the exact details of the vulnerabilities and which devices are affected.
Riskdescribes the effects the vulnerability might have.
Steps to reproduceexplains the way to reconstruct the vulnerability.
Solutionshows a possible solution to fix the vulnerability
Historydescribes the history of the vulnerability, when it was identified and how it progressed further.

The company affected by the vulnerability must officially in
the “Advisory”. In addition, ProSec GmbH may name the company as a reference.

Do you have any questions about the guideline?
We would be happy to advise you!
Inquire now

Bug bounty

If there is a bug bounty program, ProSec GmbH is entitled to claim the proceeds.

public disclosure

If the company concerned does not respond to the announcement of the security within 14 days
gap, the disclosure including the PoC codes will be published.

If the company concerned responds to the disclosure within 14 days, a coordinated disclosure will be made
carried out; if the manufacturer is affected, a joint solution to the problem is found.

coordinated disclosure

After the vulnerability has been fixed, we wait 14 days for publication (the PoC codes are excluded from disclosure). The release gives customers the opportunity to fix the vulnerabilities through updates from the manufacturer. Our goal with this strategy is not to create copycats. To illustrate our process, below are two timelines:

0-Day Our Vulnerability Disclosure Guideline


The company affected by the vulnerability must submit a statement to security@prosec-networks.com within 14 days of notification by ProSec GmbH. If no information is provided, ProSec GmbH is entitled to publish the disclosure. If the company or the manufacturer needs more time to fix the security gap, a joint deadline will be agreed with ProSec GmbH.

supplementary agreement

All parties involved must be aware of the deadlines and consequences of this disclosure.


Table of Contents