CERT NZ coordinated vulnerability disclosure policy
This policy outlines how the Ministry of Business, Innovation and Employment’s (“MBIE”) CERT NZ function will coordinate the disclosure of information relating to vulnerabilities which, if exploited, could give rise to a compromise or degradation of the confidentiality, integrity and availability of a network, system or data.
CERT NZ endeavours to minimise the potential harm and damage that could be caused by the exploitation of vulnerabilities. Where a vulnerability is identified, disclosure can ensure timely and effective resolution.
Wherever possible, CERT NZ encourages any individual or organisation that has identified a potential vulnerability ('Finder') in a product or online service to make direct disclosure to the individual or organisation that developed the product or service or is responsible for maintaining it ('Vendor'). The Vendor may have its own vulnerability disclosure policy or provide guidance on how it will receive disclosures.
Where the Finder does not want to contact the Vendor directly, or has not had any success in contacting the Vendor directly, CERT NZ is available to receive a vulnerability disclosure. CERT NZ will act as a conduit of information only — we will endeavour to pass information on to the relevant Vendor. The Vendor may then contact the Finder directly and it is then for the parties to manage the relationship. Where the Finder wants to retain anonymity, we will, where appropriate, continue to act as a conduit and pass information between the parties.
CERT NZ will coordinate vulnerability disclosure in order to balance the needs of the public to be informed of potential security vulnerabilities with the need for organisations to have time to effectively address any vulnerability.
The Finder, CERT NZ and the Vendor agree to:
- adopt the procedures outlined in this policy
- operate in accordance with relevant local laws
- take reasonable care to minimise the risk of harm from security research, vulnerability discovery and disclosure
- in the case of the Finder, provide sufficient information on the reported vulnerability as required
- in the case of the Vendor, conduct its own security checks on any disclosure and information received
- maintain discretion, and
- communicate in a timely manner.
Subject to the terms of this policy, CERT NZ will:
- make reasonable efforts to contact the Vendor as soon as practical after receiving a disclosure, and will provide the Finder’s name and contact details to the Vendor (unless anonymity is requested)
- where requested, maintain the Finder’s anonymity to the extent possible
- make reasonable efforts to contact the Finder and the Vendor prior to any release of the disclosure
- seek agreement, where possible, between relevant parties before disclosing information regarding a vulnerability to the public, and
- provide fair treatment to all relevant parties as much as possible.
CERT NZ does not:
- verify, analyse or investigate information provided by the Finder before conveying it to the Vendor
- provide any reward or incentive such as a 'bug bounty'
- recommend or pursue legal action on behalf of another party
- condone or encourage breaches of the law
- offer a whistle-blower service, or
- provide any 'safe harbour' protection from civil or criminal liability.
Vulnerabilities may be made public by CERT NZ 45 days after it notified the Vendor about the vulnerability, regardless of the existence or availability of patches or other mitigating factors. This timeframe may change where the vulnerability is:
- being actively exploited
- publicly disclosed by an entity other than CERT NZ
- reported by multiple sources to CERT NZ or the Vendor
- considered to be exceptionally serious (for example, threatening public safety), or
- where the parties agree or where CERT NZ considers it necessary.
Reporting to CERT NZ
We are available to receive information in accordance with this policy about any vulnerability which, if exploited, could give rise to a compromise or degradation of the confidentiality, integrity and availability of a network, system or data.
To report a vulnerability, send a PGP encrypted email to email@example.com — our PGP fingerprint is 9713 8773 3D95 7FAD C0EA 1797 8EB8 FFBD D973 476E —including the following information.
- Details of the vulnerability including:
- what products/services and versions are affected?
- what platform(s) does the product use?
- what is the likely impact of exploitation?
- any other relevant information you can supply
- any proof of concept.
- We also request information regarding:
- your contact details so we can communicate with you
- whether you have been in contact with the Vendor
- whether this information has been published or shared with others, and
- whether you would prefer to remain anonymous.
CERT NZ will endeavour to respond to the Finder with further details of the process within two business days.
CERT NZ reserves the right to accept, reject, or prioritise any vulnerability disclosure at its discretion. The decision whether to accept or reject the vulnerability disclosure coordination role for a particular disclosure will generally be based on the scope and severity of the vulnerability and our ability to resource the process.
CERT NZ acts only as a conduit in respect of any vulnerability disclosure or associated communication ('Disclosed Information'). CERT NZ and MBIE accept no liability to the Finder, the Vendor or any other party for any direct or indirect loss or damage of any kind whatsoever, however caused including by any act or omission on the part of CERT NZ, and whether under contract, tort (including negligence), statute or any other basis for liability. CERT NZ and MBIE are not responsible for the use of or reliance on the Disclosed Information by any party. CERT NZ does not make any express or implied representation or warranty regarding the Disclosed Information or its accuracy. The provision of Disclosed Information to a party by CERT NZ does not constitute any endorsement, verification or recommendation by CERT NZ.
Information provided to CERT NZ may be disclosed to third parties as required by law or where CERT NZ considers disclosure to be in the public interest.
Any inquiries regarding this policy should be directed to firstname.lastname@example.org.