Coordinated Disclosure

There are different possibilities where we may become aware of a security vulnerability: Either we find such a public disclosure, somebody sends a vulnerability submission to us, or our research team identifies one in a tested product.

If we think that a weakness is not yet known to the vendor, we try to contact them to establish a coordinated vulnerability disclosure. VulDB is not a bug bounty service nor do we guide researchers in vulnerability disclosures. We contact vendors on a voluntary basis to give them a chance to react properly. This might be a response with their own risk assessment or the quick release of a fixed version of the affected component.

Contacting Vendors

We handle hundreds of vulnerabilities per day which makes it very important for us to streamline our voluntary efforts. First we try to find the official source of an affected software. Then we try to find a mail address to contact the product maintainer to inform them about the potential vulnerability. Ideally, this is a security-related address channeling vulnerability reports. If no such dedicated address is available, we will use a more generic address if available.

If no mail address is shared and contact via web form, issue tracking or phone remains, we will not pursue the coordinated disclosure any further. Our resources are too limited to handle this part of our voluntary work hindered by workflows of other parties.

The timeline for the coordinated vulnerability disclosure is very tight when it comes to vulnerabilities that are public already. In such cases the CNA Rules expect an immediate assignment and availability of a CVE. Attackers might already be exploiting the shared attack details.

Thus, we always have to balance the needs of the different entities to support vendors to provide solutions as quickly as possible, to help affected users to mitigate risks, and to prevent attackers from exploiting available vulnerabilities.

All approaches to contact vendors are documented and stored in our private vulnerability tracking system, which makes it possible for us to log coordinated disclosures and vendor responses properly.

No Responses

Unfortunately, in more than 90% of the cases we do never receive a response by a contacted vendor. Therefore, in most cases investing time and effort only delays the vulnerability disclosure which prevents potential victims to know about the risks and mitigate them. This is not what we shall aim for.

If we have contacted a vendor multiple times over a long period of time and have never received a response, we assume that they are not interested in a coordinated vulnerability disclosure. In this case we might suspend further contact approaches to optimize our responsible vulnerability disclosures. If vendors are not willing to prepare countermeasures in time, we shall help potential victims to know the risks they are exposed to.

We document this unfortunate situation in our disclosures to inform customers about vendors which might not take security of their products serious.