Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Northwave-Cyber-Security-19
Northwave's

Coordinated Vulnerability Disclosure

At Northwave, we are dedicated to increase cybersecurity resilience world-wide. Our people engage in cybersecurity research not solely for skill development, realistic adversary simulations, or showcasing capabilities. We use Coordinated Vulnerability Disclosure (CVD) to ensure that anyone ultimately benefits from our research. However, we are cautious about not jeopardising organisations or individuals. We believe a balance exists between safeguarding the secrecy of a technique or vulnerability, and making it public:

  • While maintaining secrecy can prevent large-scale abuse, it might allow small-scale abuse to persist.
  • When published in collaboration with a party, large-scale abuse is prevented, and end-users can protect themselves.

Hence, our intention is to notify relevant parties about the vulnerabilities we identify. Throughout this process, we act in the public interest as much as possible. We prioritise cooperative efforts to minimize the potential for extensive abuse, while offering end-users the opportunity to protect themselves. To facilitate this procedure with transparency, ethics, and efficacy, we adopt the Coordinated Vulnerability Disclosure policy outlined below.

If you want to report a vulnerability to Northwave, please refer to our responsible disclosure guidelines instead.

90+30 policy

We follow a 90+30 disclosure deadline policy, wherein parties are provided with a span of 90 days after receiving notification from us about a cybersecurity vulnerability to develop and make a patch available to users. If the patch is made available within 90 days, we will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.

For example:

  • If a party patches a security issue 47 days after we notified the party about the vulnerability, details would be made public on day 77.
  • If a party patches a security issue 83 days after we notified the party about the vulnerability, details would be made public on day 113.

If a party is unable to patch an issue within the initial 90 days, we will make the details of the vulnerability public at the end of the 90-day period. This approach allows end-users to make informed decisions about their exposure. We do not publicly disclose vulnerability information before the 90-day period unless there is a reason to, and the party agrees with publication. Privately, we may share vulnerability information under TLP:RED[1] in order to protect our own clients or in threat intelligence partnerships where such information is safely kept.

Grace period

If a party is unable to make a patch available in 90 days but will make a patch available within an additional 14 days (i.e., within 104 days since the vulnerability was disclosed to the party), the party and Northwave can mutually agree on a grace period. In that case, we will publicly disclose details of the vulnerability 120 days after the vulnerability was initially disclosed to the party.

In-the-wild-vulnerabilities

If we find evidence that a vulnerability is being actively exploited against real users "in the wild", a 7-day disclosure policy replaces the 90-day policy. However, the 30-day window still applies, meaning that we will publicly release details of the vulnerability 30 days after a patch is made available to users, as long as a patch was made available by the end of the 7-day deadline.

The grace period for in-the-wild vulnerabilities is 3 days. Like the 90-day policy, public details for patches made available during the grace period will still be released to the public 30 days after the original deadline (i.e., day 37), regardless of on which day the patch is released. 

Mutually agreed disclosure

In any of the above cases, Northwave and the relevant party can mutually agree to release details of a vulnerability earlier or later than the date indicated by policy. As long as we are in constructive communication with a party about a fix; a positive security outcome is the goal.

Ownership

Given our intention to improve security for end-users, we want to share information on vulnerabilities that we find. However, our research is our own. A party is not entitled to information on vulnerabilities and cannot make demands on publication details, as we are not obliged to share anything.

Our policy is based on the disclosure policy of Google's Project Zero. If you have questions about our policy, please contact security@northwave.nl. If you have questions about a case in progress, please contact the relevant researcher on the case.

[1] https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage

 

.