Link Search Menu Expand Document

Responsible disclosure

A discovered vulnerability should first be reported to the vendor. The vendor should then be given the opportunity to develop a patch. After the patch has been published, or in the case of an unresponsive vendor, after a certain timeframe passes, the finding should be reported to the National Vulnerability Database and made public. The Dutch National Cybersecurity Center US CERT offers a good Guide to Coordinated Vulnerability Disclosure which we recommend that you follow, setting the default disclosure timeframe to 90 days.

The biggest failure that can happen in the disclosure process is if sensitive vulnerability information becomes available to the wrong people. In order to avoid mistakes, be sure to keep your supervisor informed about the disclosure process, e.g. by carbon copying your supervisor in the correspondence with the vendor.

Typically, the first disclosure step is to identify which person or function in the company to whom the vulnerability should be reported. The second step is agreeing on the communication means – some vendors prefer encrypted channels for sensitive information such as vulnerabilities. Only after these formalities regarding the communication are settled should the vulnerability be disclosed.

When reporting a vulnerability, you need to be pedagogical. Check out the writing style of the vulnerability reports at the bug bounty platforms, for instance.

If you have found a vulnerability which qualifies, you should request a CVE. A CVE in your name can be valuable when applying for jobs in the cybersecurity sector.

If the disclosure process takes longer time than your thesis project, you can still present your thesis, complete the course and receive your credits. KTH will, however, not publish the report until the disclosure process has completed.

Division of Network and Systems Engineering | KTH