Informationssicherheit
Detection. Solution. Education

Vulnerability Disclosure Guideline

1. Description

This document describes how we deal with the discovery of a security vulnerability. It is a rule and reference for such a security incident. This standard provides binding instructions for appropriate and reliable processing by ProSec GmbH.

1.1 Disclosure Specification

The following information must be included in the disclosure:
WORDEXPLANATION
Vulnerability typespecifies which vulnerability type affects the finding.
Vulnerable versiondescribes the vision associated with the vulnerability.
Vulnerable componentnames the susceptible devices of the vulnerability.
Report confidencehere you can find the detailed report of the vulnerability.
Fixed versionnames the repository version.
Vendor notificationexplains what the vendor responds about this vulnerability.
Solution datespecifies the resolution date of the vulnerability.
CVE referenceis an industry standard that aims to introduce a unified naming convention for vulnerabilities.
CWEis a category system for software weaknesses and vulnerabilities.
CVSSv3 Calculatorshows the components of the Common Vulnerability Scoring System.
Researcher Creditsnames the researcher who found the vulnerability
Vulnerability Detailsdescribes the exact details of the vulnerabilities and which devices are affected.
Riskdescribes the effects the vulnerability might have.
Steps to reproduceexplains the way to reconstruct the vulnerability.
Solutionshows a possible solution to fix the vulnerability
Historydescribes the history of the vulnerability, when it was identified, and how it progressed further.

The company that concerns the security vulnerability must officially announce the researcher in
the „Advisory”. In addition, ProSec GmbH is allowed to name the company as a reference.

2. Bug bounty

If a bug bounty program exists, the ProSec GmbH is entitled to claim the proceeds

3. Public disclosure

If the company concerned does not react within 14 days to the announcement of the security
gap, then the full disclosure, including PoC codes, will be published.

If the company concerned reacts to the disclosure within 14 days, a coordinated disclosure is
carried out, if the vendor is affected, a joint fist is set to solve the problem.

3.1 Coordinated disclosure

After the vulnerability is fixed, we wait 14 days until the release (excluded from the disclosure are
the PoC codes). The publication gives customers the opportunity to fix the vulnerabilities
through updates provided by the vendor. Our goal in this strategy is not to create imitators. To
illustrate our process, you will find two timelines below:

Coordinated disclosure

Timeframe

The company which is affected by the security vulnerability must provide a response within 14 days to the security@prosec-networks.com of being notified by ProSec GmbH. If no information is provided, ProSec GmbH is entitled to publish the disclosure. If the company or the manufacturer requires more time to remedy the security vulnerability, a joint deadline will be agreed with ProSec GmbH.

4. Supplementary agreement

All parties involved must be aware of the deadlines and consequences of this disclosure.