As part of an ongoing review of how our research activities have performed, we’ve taken the opportunity to redefine our process of disclosing vulnerabilities to better align with current good practice. As a result of this, we’ve prepared a new Co-ordinated Disclosure Policy and assigned members of our technical team to drive the processes that underpin it.
The first change is that we’ve moved from Responsible to Co-ordinated. This is largely a semantic change, but reflects the mature industry view that using the word responsible is loaded and puts researchers in a difficult position even where they have attempted to co-ordinate a disclosure. This is a view that has previously been recognised by Microsoft amongst others, so we believe the market is ready for the change.
Our second change is that we will be pre-announcing vulnerabilities 7 days after we have notified the vendor. The pre-announcement will detail the vendor, the date we reported the vulnerability, when it is expected to be disclosed and the category of vulnerability that we have found. The aim here is to give a clear signal to vendors that we intend to publish and to make our process more transparent. You can find our pre-announcement page here. Sometimes the only sensible outcome is to notify the community at large about vulnerabilities discovered where the vendor is unwilling or unable to fix the underlying issue. Clearly this “forced” disclosure is sub-optimal so our new Co-ordinated Disclosure Policy makes it clear that this is a final resort where a vendor fails to engage with Portcullis.
Once this pre-announcement has been made, we will be working closely with vendors to ensure that we support their efforts to fix their issues. This will however require regular communications between Portcullis and the identified vendor contact. Indeed, as our new policy makes clear, we will expect regular updates, at least once every 30 days, to give us assurance that the appropriate vulnerability validation and resolution steps are being followed. Failure of a vendor to report back to us regularly and with sufficient detail may ultimately trigger a “forced” disclosure, which we’re sure that nobody wants.
The final change is that we will be moving to the industry standard CVE numbering scheme for referencing Portcullis advisories once they are public. Several of our team have individually had good experiences with working with MITRE and we would like to affirm our support for their efforts.
Historically, Portcullis has been quite prolific in publishing advisories but we realise our public output has tailed off. The overall update to our policies and processes and the commitment of internal resource to renew our efforts should be taken as a statement that Portcullis still believe in vulnerability disclosure and that we will be stepping up our output moving forwards.
Come and join Portcullis’ own Linkedin group, The Portcullis Arms.