Issuer: The person or entity who has submitted the disclosure report and initiated the disclosure process.
ASRG: Moderator the ASRG disclosure process.
All communication during the disclosure process must remain confidential until the agreed time point.
Once ASRG received your report, we will take the following steps:
- ASRG will review the content of the provided information and claim of the disclosure. In the case of open questions, or needed clarification, ASRG will contact the issuer to clarify the information gaps.
- If the report meets the required quality and content, ASRG will contact the affected manufacturer. In case the issuer will be directly involved in the communication with the manufacturer, ASRG will establish this communication channel.
- ASRG will relay the vulnerability details, and collaborate on a public disclosure timeline.
- After notification, and if none of the involved parties requests another option, ASRG follows a 90-day responsible disclosure and remediation timeline. ASRG’s interest is to grant the affected manufacturer a period of time for fixing the vulnerability and preventing any future damage to public consumers and the manufacturer itself before the information will be publicly announced. Furthermore, an extension of this time period can be provided at the manufacturer’s request, and depending on the severity or complexity of the disclosed vulnerability, ASRG is going to wait for the publication until an effective fix is available.
- If the affected manufacturer does not acknowledge or reply to the initial disclosure email within 30 business days of the original notification, ASRG resends the vulnerability details to the original point of contact of the manufacturer and at least one secondary contact, if a secondary contact is publicly available.
- If additional 10 business days elapse with no response from the manufacturer after the second notification (in total 40 business days since the original notification), ASRG resends the vulnerability details not only to the previous two contacts but also to confidential stakeholders like Auto-ISAC.
- In case the affected manufacturer does not respond to any of the three notification attempts within additional 10 business days following the third notification (in total 50 business days since the original notification), or if the manufacturer indicates they do not wish to coordinate disclosure, ASRG may elect to issue a public advisory with no further collaboration after 90 days publication embargo.
- After receiving a statement from the affected manufacturer, ASRG will evaluate it together with the issuer and decide on further steps depending on the response.
- ASRG will clarify together with the affected manufacturer and the issuer what is the best way for everyone involved to publish the discovered vulnerability giving full credit to the originator of the issue.
- ASRG, as an officially recognized CVE Central Naming Authority (CNA), assigns a CVE to the vulnerability.
The affected manufacturer should acknowledge receiving notifications to ASRG with the following details:
- first confirmation that the vulnerability information has been received
- a point of contact responsible for coordinating and tracking information on the provided issue within their company
- an estimation up to when the completion of the initial investigation will be completed
- a timeline needed for own investigations
- provide information updates
- if needed request the official to extend the time period for fixing before publication
We greatly appreciate the efforts of different kinds of dedicated people to discover security vulnerabilities and share this information in a trustful way. ASRG commits to respect the interest of the isser and can help to solve possible escalation situations.