Vulnerability Disclosures

pdf version

Vulnerability Disclosure Coordination Policy

This policy outlines how CERT Australia will coordinate the disclosure of information relating to reported vulnerabilities that is not publicly known.

CERT Australia seeks to minimise the potential harm caused by the exploitation of vulnerabilities by coordinating their disclosure. This disclosure will also provide vendors and developers with additional time to mitigate the vulnerabilities and enable affected systems of national interest to reduce their exposure.

Responsible Disclosure

The discloser, CERT Australia and the affected vendor/developer agree to:

  • adopt the procedures outlined in  this policy

  • operate in accordance with the relevant local law of their jurisdiction

  • take reasonable care not to cause undue harm during security research, vulnerability discovery and disclosure

  • provide sufficient information on the reported vulnerability as required

  • maintain discretion

  • keep timely communications.

CERT Australia will:

  • facilitate agreement between relevant parties to disclose information regarding a vulnerability to the public

  • give due credit or maintain anonymity to the extent possible

  • provide fair and impartial treatment to all relevant parties

  • make reasonable efforts to contact the discloser and affected vendor/developer prior to the release of the disclosure.

CERT Australia will not:

  • provide a reward or incentive such as a ‘bug bounty’, however, the affected vendor/developer may elect do so

  • recommend or pursue legal action on behalf of another party.

Timeframe

Vulnerabilities may be made public 45 days after CERT Australia notifies the affected vendor/developer, regardless of the existence or availability of patches or other mitigations. This timeframe could change if the vulnerability is:

  • being actively exploited

  • publicly disclosed by an entity  other than CERT Australia

  • reported by multiple sources to CERT Australia or the affected vendor/developer

  • considered to be exceptionally serious (such as threatening public safety)

  • or on agreement between the discloser, CERT Australia and the affected vendor/developer.

Reporting to us

What to report to CERT Australia:

  • High-impact vulnerabilities. These may affect many users, critical national infrastructure, or physical safety and could occur in software components, protocols or hardware

  • Vulnerabilities in websites or systems for big business or the Australian government.

Vulnerability disclosure reports can be made by sending a PGP encrypted email to info@cert.gov.au with the following information:

  • Details of the vulnerability discovered:

    • What products are affected?

    • What platform(s) does the product use?

    • What is the likely impact of successful exploitation?

    • Any other relevant information you can supply.

  • Any proof of concept

  • Any research demonstrating the vulnerability is not public

  • Contact details

  • Whether you have been in contact with the affected vendor/developer

  • Whether the discloser would prefer to remain anonymous.

     

CERT Australia will respond with further details of the process within 2 business days.

If a party intends to provide a vulnerability disclosure report to CERT Australia but does not have access to PGP encrypted email, they can contact CERT to arrange other secure means of communication.

CERT Australia reserves the right to accept or reject any vulnerability disclosure coordination role at our discretion.

Please be aware that the disclaimer available on CERT Australia’s website applies to this policy and any information disclosed pursuant to this policy.

Any inquiries regarding this policy should be directed to info@cert.gov.au or the CERT Hotline on 1300 172 499.