Disclosure Policy

Companies working with CERT@VDE (participants) offer high quality and highly reliable products in the field of automation technology. They are committed to responding responsibly to any vulnerability found in their products, which could have consequences for information security.

CERT@VDE supports participants in tackling vulnerabilities detected or signaled by third parties, involving clients, peers and other companies from target groups as well as those from other CERTs and other trusted peers from scientific and research branches.

Trust in a responsible approach to sensitive information is thus the basis of cooperation. As such, CERT@VDE is committed to maintaining the confidentiality of information entrusted by participants or third parties and to respecting any requests for anonymity. Information regarding vulnerabilities will only be published by CERT@VDE pending prior discussion as well as in accordance with the present Disclosure Policy, as long as no overriding legal obligation applies.

In general, CERT@VDE processes all signaled vulnerabilities and incidents with affected manufacturers in a cooperative and coordinated manner (“Coordinated Disclosure”). As such, we aspire to close cooperation between those who discover vulnerabilities (notifiers), CERT@VDE and manufacturers. Responsible approaches to information on vulnerabilities as well as close cooperation facilitated by CERT@VDE between all affected parties, should prevent vulnerabilities from being prematurely disseminated, as this could potentially lead to their exploitation.

Moreover, the schedule within which countermeasures and coordinated publication take place should be adjusted in accordance with certain circumstances, which in turn depend on the life cycle of the vulnerability, the motivation and behavior of the notifier, and the cooperation of the affected manufacturer.

This includes:

  • the severity of possible effects of a vulnerability
  • the complexity of possible exploitation
  • the availability of workarounds or other countermeasures
  • the capacity of a manufacturer to deliver a patch/workaround
  • the manufacturer’s estimation of effort required for generation (development, test and release) of a patch

As a general rule, a publication should occur after 45 days at the most. In exceptional cases whereby publication needs to occur later than 45 days, CERT@VDE will document the reasons for this. Should a manufacturer, integrator or supplier prove uncooperative, responding to neither telephone calls nor emails and not delivering an acceptable schedule, CERT@VDE will, upon agreement with the notifier, undertake publication of the vulnerability, even if no patch or workaround is available.

CERT@VDE will suggest the established schedule to the notifier and request that they refrain from publishing the vulnerability themselves before coordinated publication by CERT@VDE can occur. Should the notifier not agree to the suggested schedule and insist upon earlier publication, CERT@VDE will communicate this to the affected manufacturer and modify the schedule accordingly, given that coordinated publication by CERT@VDE always has priority over direct publication by the notifier.

Any vulnerability published in advance by the notifier or a third party shall be published by CERT@VDE without delay. Ideally, any possible workaround or countermeasure should be issued along with the publication, or as quickly as possible thereafter.

The name and contact information of the notifier of a vulnerability will be forwarded to the manufacturer by CERT@VDE unless otherwise expressly prohibited in the message notifying of the vulnerability. Should a notifier wish to remain anonymous, CERT@VDE offers to facilitate all communication between the affected manufacturer and the notifier of a vulnerability. CERT@VDE will then inform the notifier of the vulnerability of the schedule and status of work being carried out, without disclosing any confidential information concerning the manufacturer.