CERT@VDE

Here you'll find the guidelines and mission statement that inform the work of CERT@VDE.

Guidelines and Compliance

Cooperation with CERT@VDE is based on the following guidelines:

  • Confidentiality of customer data is of the highest priority.
  • Any cooperation happens on a voluntary basis and can be terminated at any time.
  • Personal business concepts must not suffer from any activities of CERT@VDE.
  • Reciprocal contributions and information shall optimise all member’s work processes.
  • Our work and cooperation shall provide a model for CERTs from other sectors.
  • The Code of Conduct applies to VDE Verband der Elektrotechnik Elektronik Informationstechnik e. V. and its associated companies. 
    It applies worldwide to all staff of VDE, including management boards, directors and executives. 
    However, the Code of Conduct also applies to all members of VDE’s executive bodies and everyone sitting on VDE’s committees and participating in other meetings and activities, even if there is no service or employment contract with VDE in existence. It also applies to any experts used in standardisation procedures and in technical and scientific work. Therefore it also applies for all partners and technical experts of CERT@VDE. 

Disclosure Policy

Companies working with CERT@VDE (participants) offer high quality and highly reliable products in the field of automation technology. They are committed to responding responsibly to any vulnerability found in their products, which could have consequences for information security.

CERT@VDE supports participants in tackling vulnerabilities detected or signaled by third parties, involving clients, peers and other companies from target groups as well as those from other CERTs and other trusted peers from scientific and research branches.

Trust in a responsible approach to sensitive information is thus the basis of cooperation. As such, CERT@VDE is committed to maintaining the confidentiality of information entrusted by participants or third parties and to respecting any requests for anonymity. Information regarding vulnerabilities will only be published by CERT@VDE pending prior discussion as well as in accordance with the present Disclosure Policy, as long as no overriding legal obligation applies.

In general, CERT@VDE processes all signaled vulnerabilities and incidents with affected manufacturers in a cooperative and coordinated manner (“Coordinated Disclosure”). As such, we aspire to close cooperation between those who discover vulnerabilities (notifiers), CERT@VDE and manufacturers. Responsible approaches to information on vulnerabilities as well as close cooperation facilitated by CERT@VDE between all affected parties, should prevent vulnerabilities from being prematurely disseminated, as this could potentially lead to their exploitation.

Moreover, the schedule within which countermeasures and coordinated publication take place should be adjusted in accordance with certain circumstances, which in turn depend on the life cycle of the vulnerability, the motivation and behavior of the notifier, and the cooperation of the affected manufacturer.

This includes:

  • the severity of possible effects of a vulnerability
  • the complexity of possible exploitation
  • the availability of workarounds or other countermeasures
  • the capacity of a manufacturer to deliver a patch/workaround
  • the manufacturer’s estimation of effort required for generation (development, test and release) of a patch

As a general rule, a publication should occur after 45 days at the most. In exceptional cases whereby publication needs to occur later than 45 days, CERT@VDE will document the reasons for this. Should a manufacturer, integrator or supplier prove uncooperative, responding to neither telephone calls nor emails and not delivering an acceptable schedule, CERT@VDE will, upon agreement with the notifier, undertake publication of the vulnerability, even if no patch or workaround is available.

CERT@VDE will suggest the established schedule to the notifier and request that they refrain from publishing the vulnerability themselves before coordinated publication by CERT@VDE can occur. Should the notifier not agree to the suggested schedule and insist upon earlier publication, CERT@VDE will communicate this to the affected manufacturer and modify the schedule accordingly, given that coordinated publication by CERT@VDE always has priority over direct publication by the notifier.

Any vulnerability published in advance by the notifier or a third party shall be published by CERT@VDE without delay. Ideally, any possible workaround or countermeasure should be issued along with the publication, or as quickly as possible thereafter.

The name and contact information of the notifier of a vulnerability will be forwarded to the manufacturer by CERT@VDE unless otherwise expressly prohibited in the message notifying of the vulnerability. Should a notifier wish to remain anonymous, CERT@VDE offers to facilitate all communication between the affected manufacturer and the notifier of a vulnerability. CERT@VDE will then inform the notifier of the vulnerability of the schedule and status of work being carried out, without disclosing any confidential information concerning the manufacturer.

Mission Statement

Trust and efficiency are necessary for any communication on security vulnerabilities.

CERT@VDE assists SMEs in Industrial Automation with the handling of vulnerabilities and product security incidents. It provides a trusted platform for cross-organizational collaboration.

CERT@VDE

  • Provides a neutral, trustworthy and secure platform for collaboration between vendors.
  • Assists with the coordinated disclosure of vulnerabilities.
  • Enables exchange and discussion of methods and practice for product security.
  • Processes vulnerability information from multiple sources and provides it to the target constituency, i.e. vendors, integrators and users of Industrial control systems (ICS).
  • Organizes workshops for the industry.
  • Develops processes and best practices with its partners in the industry.

FAQ

This page does not yet exist in English.