A coordinated vulnerability disclosure process is a process whereby vulnerabilities are reported to the manufacturer or provider of potentially vulnerable products and services. The notification allows the recipient, in the best case, to detect the vulnerability and fix it before the detailed vulnerability information becomes public.
Traficom's National Cyber Security Centre (NCSC-FI) is the national information security authority responsible for collecting information on security breaches and threats, communicating information on security threats and producing a national cybersecurity snapshot.
Software vulnerabilities are a serious threat to the normal functioning of society. Vulnerabilities are discovered, for example, during system testing, security research or during the normal use of systems. Discoveries must be handled responsibly, as they can have far-reaching negative effects on people's privacy, property and business, and even national security.
Objectives
The NCSC-FI coordinates the controlled disclosure of vulnerabilities. This work is done in collaboration between the vulnerability finders, the software manufacturers affected by the vulnerability and the end users. The aim of vulnerability coordination is to ensure that information about vulnerabilities and their appropriate repair, including updates, reaches everyone, including the end users of the product, in a timely manner.
The vulnerability finder should be aware that the level of cybersecurity maturity of software vendors varies. For some manufacturers, the process of dealing with vulnerabilities can be laborious and time-consuming. As a vulnerability coordinator, we promote the responsible handling of vulnerability information at all stages of the vulnerability life cycle. The NCSC-FI aims to ensure that all reported vulnerabilities are fixed or mitigated.
Vulnerability coordination
The coordination process usually starts when a vulnerability is reported to the NCSC-FI. For example, you can file a report in person, on behalf of an organisation or anonymously. In a typical case, the vulnerability coordination process proceeds as follows:
- The NCSC-FI will analyse the reported vulnerability and confirm the technical details with the reporter.
- The parties will agree on the communication of the case, target timelines and other details of the process.
- The NCSC-FI will start a discussion with the manufacturer of the product or service provider.
Coordination prioritises those vulnerabilities that affect multiple lenders and multiple products. Good examples are vulnerabilities affecting a large user base or critical infrastructure.
The NCSC-FI works with its counterparts on vulnerabilities with cross-border implications. Cooperation with EU Member States is particularly active.
Disclosure schedule
The disclosure schedule for vulnerabilities brought to the attention of the NCSC-FI will be negotiated with software manufacturers. There is not always something to disclose about a vulnerability. In such cases, the responsible party fixes the vulnerability, informs its customers and thanks the person who discovered the vulnerability. If there is a need to publicly disclose a vulnerability, its disclosure will be mutually agreed between the parties. The NCSC-FI does not disclose information on vulnerability exploitation methods.
Contact information
The NCSC uses the following email address for communication related to vulnerabilities vulncoord@traficom.fi .