CVE Responsible Disclosure Policy
The CERT-XLM is an accredited CSIRT team of TF-CSIRT Trusted Introducer, member of FIRST and the CERT.LU initiative. As a Computer Security Incident Response Team (CSIRT), we are committed to sharing with our peers and constituencies the identified vulnerabilities in vendors’ products.
Reporting a vulnerability to a vendor is a way to improve cybersecurity globally. It allows users to be notified of the issue and lets them perform the appropriate remediating actions. Conversely, the reporting should be performed with care in order to not give to potential attackers some knowledge of potential victims.
Whenever a new vulnerability is discovered and reported, CERT-XLM will be in charge of the public disclosure. The vulnerabilities are reported in a responsible disclosure way to the vendors following a well-defined process in coordination with the Vendor/Vendor’s PSIRT (Product Security Incident Response Team) and MITRE.
If requested, during this process, our clients are kept informed of the vendor feedback, the proposed action plan, and the timeline for the mitigation of the issues.
No matter how and who (the finder) discovered the vulnerability, CERT-XLM will not, in any case, reveal the customer’s name to which the finding was made.
If the vendor wishes to publish the CVE by itself, and/or if the vendor is an official MITRE CVE Numbering Authorities (CNA), CERT-XLM’s role would be to accompany it until the end of the process when the vulnerability is registered and disclosed on the vendor’s website, MITRE’s CVE and on Excellium’s website advisory page.
Up to ten (10) days are allowed for the point of contact to acknowledge the finding. After which, CERT-XLM will start the CVE registration process, no matter if the acknowledgment was given.
Any vulnerability will be registered to MITRE so that the vulnerability is associated with a CVE Identifier (CVE ID formed as follow: “CVE-YYYY-DDDD” (YYYY being the registration’s year, and DDDD a digit attributed by MITRE).
A thirty (30) days period is allowed, for the vendor to work on a fix. This grace period can be extended, on-demand and if backup with strong technical explanations up to ninety (90) Days.
Any CVE that CERT-XLM did report to a vendor, will, once a fix was made available (or the grace period expired) and publicly disclosed, be referenced on Excellium’s website advisory page with the MITRE’s CVE ID. MITRE vulnerability registration will be updated with available information from the vendor’s PSIRT, if any.
Vendors are kindly asked to refer in their public disclosure :
- To this webpage (using the URL https://excellium-services.com/cert-xlm-advisory/<MITRE-CVE-ID>)
- To the finder’s name (only when requested).
The CERT-XLM never discloses information that could directly help third parties to exploit a vulnerability in a product.
In case the vendor does not respond to CERT-XLM’s solicitations, the vulnerability will be responsibly disclosed 90 days after CERT-XLM has notified incident response teams of the groups to which CERT-XLM belongs.