Coordinated vulnerability disclosure policy
In order to carry out our tasks and fulfil our mandate, we deal with a number of applications and software. These can be commercial or free, open source (FOSS) and either used by us, our Constituents (the EU institutions, bodies and agencies) or both.
Those applications and software may contain security flaws and vulnerabilities and therefore exposed to attacks. In order to enhance the good functioning of the products that we or our Constituents use, this clear, step-by-step procedure was developed, with the aim to mitigate the effects of such exposure and, at the same time, attempt to help product vendors and software developers to implement appropriate and timely solutions.
If a vulnerability is reported to us or discovered internally by our teams, the following disclosure policy procedure will be applied, in line with the steps described below.
Whenever feasible and relevant for the security of our Constituents, we will attempt to confirm the considered vulnerability. Reporters should, ideally, provide a supporting Proof-of-Concept (PoC). We can decide, at our own discretion, whether or not to confirm a vulnerability. However, as this confirmation represents an essential requirement, a sufficiently detailed description of the identified issue could also be accepted.
NOTIFICATION TO THE RELEVANT PARTIES
If the reported vulnerability is confirmed, or if we do not formally confirm it but we consider the report to be sufficiently plausible, the related vendors (in case of commercial products) or the related communities (in case of FOSS) will be identified as well as their designated contacts. Then, the relevant parties will be informed about the vulnerability and made aware of this disclosure policy.
Once the initial contact and a secure channel have been established, we will share the details of the vulnerability with the relevant third parties. The deadlines mentioned in the different phases below will start when we have established a contact that can reasonably be considered as appropriate to receive vulnerability information. When no such contacts have been established after reasonable attempts are made by CERT-EU, the deadlines below will also be considered started.
We will make every effort that is necessary to document, at each stage of the exchange, that the concerned vendors or the communities have been contacted and received our notifications.
LIMITED DISCLOSURE TO CONSTITUENTS
If the vulnerability is not fixed, and the relevant patches mitigating or resolving the vulnerability released, within 30 days from the date of the notification, we will release a security advisory addressed to our Constituents only to inform them about the issue. The advisory will include suggestions on possible mitigating measures. This is in line with our mandate to protect our Constituents against cyberattacks. Furthermore, certain Constituents may be involved from the very beginning of the disclosure process if we consider them particularly exposed to the vulnerability under consideration.
LIMITED DISCLOSURE TO CYBERSECURITY COMMUNITIES
If the vulnerability is not fixed, and the relevant patches mitigating or resolving the vulnerability released, within 60 days from the date of the notification, we will issue a security advisory addressed to the cybersecurity communities with whom it has a well established and solid cooperation and where the level of information exchange is particularly high. These communities include, but are not limited to, the European Government CERTs group (EGC) and the EU Member States’ CSIRTs Network. The document will aim to inform those communities about the security issue and may include suggestions on possible mitigating measures.
PUBLIC DISCLOSURE BY THE VENDOR OR A COMMUNITY
For the public vulnerability disclosure, we normally grant 90 days from the first notification to the vendor or community, in order for them to issue a proper fix and publish the relevant details on the vulnerability. However, if a sound justification and explanation for any delay can be produced, CERT-EU may agree on extending the 90-day time frame.
PUBLIC DISCLOSURE BY CERT-EU
If the deadline mentioned in the previous paragraph has passed and the vendor or community has neither responded to our vulnerability report, offering a reasonable action plan, nor has asked for a time extension, we may publish a security advisory on our website and on our social media accounts, or any other media that we consider appropriate.