Webinar | Modernizing Asset Inventory: A Smarter Approach to Securing Industrial Environments
Register
The goals of Nozomi Networks, Inc. Labs (“Nozomi Networks Labs”) Vulnerability Disclosure policy are two-fold:
To achieve these goals, Nozomi Networks Labs adopt the following disclosure timeline.
Deadline: Day 30
Nozomi Networks Labs will attempt to contact the vendor, either directly or indirectly via a CVE Numbering Authority of Last Resort (CNA-LR).
Nozomi Networks Labs will provide the vendor with a vulnerability advisory report containing an overall description of the issue, an in-depth technical analysis, possible remediation suggestions, and a copy of this vulnerability disclosure policy. Any vulnerability advisory report produced by Nozomi Networks Labs is the property of Nozomi Networks and cannot be reproduced, distributed, transmitted, shared, copied, or modified, without the prior written consent from Nozomi Networks.
The vendor has up to 30 days to reply from the initial disclosure, acknowledging that the issue is under analysis.
Nozomi Networks Labs will attempt to notify the vendor via the established communication channel if they fail to meet this deadline.
Deadline: Day 90
The vendor has to reply within 90 days maximum from the initial disclosure, producing:
Nozomi Networks Labs will attempt to notify the vendor via the established communication channel if they fail to meet this deadline.
Nozomi Networks Labs will review the provided information and, if necessary, start a discussion with the vendor with the aim to reach a mutually-agreed action.
Deadline: Day 180
The vendor has to publicly resolve the vulnerability in 180 days maximum from the initial disclosure.
After the vendor has publicly resolved the issue, or after 180 days from the initial disclosure (whichever comes first), Nozomi Networks Labs will release a public notification of the vulnerability and, at discretion, a technical blogpost of the issue.
Nozomi Networks Labs is aware that some vulnerabilities can have profound ramifications on the affected systems. For this reason and on a case-by-case basis, Nozomi Networks Labs may exceptionally agree to a timeline extension upon request by the vendor, provided, however, that the vendor satisfactorily illustrates to Nozomi Networks Labs the technical rationale behind the request.
During the interim period prior to the public disclosure, Nozomi Networks Labs will proceed with an early disclosure of the vulnerability only to subscribers of Nozomi Networks’ service. This disclosure will be done in the form of an advisory, containing a high-level description of the issue and some suggested mitigations, and in the form of an update of Nozomi Networks' Threat Intelligence feed, containing one or more strategies to detect the issue. All content will be distributed under the Traffic Light Protocol (TLP):AMBER+STRICT level, to alert such subscriber against any dissemination of the vulnerability ahead of the public disclosure. Nozomi Networks Labs will provide advance notice to the vendor before proceeding with such early disclosure.
At any stage of this process, Nozomi Networks Labs is fully committed to working with vendors to ensure that the technical details and severity of a reported security issue are fully understood. This is accomplished by sharing with the vendor technical information gathered through the research and -- when possible -- a reliable way to reproduce the issue.
If a vendor chooses not to take the actions requested herein and fails to meet the disclosure timeline, or is unable to provide a sound explanation for not meeting the expectations, Nozomi Networks Labs, after 180 days from the initial disclosure, will publish an advisory with limited technical details including mitigations.
In all the cases, Nozomi Networks Labs will formally and publicly release its security advisories.
