Once ASRG received your report, we will take several steps:
- ASRG requests the issue provider to keep any communication regarding the vulnerability confidential until the completion of the disclosure process as ASRG are doing it as well.
- In case the vulnerability report is not fully understandable or incomplete, ASRG will contact the issue provider to clarify the information gaps.
- If the report fulfills the needed information quality, ASRG will contact the affected manufacturer. In case the issue provider will be directly involved in the communication with the manufacturer ASRG will establish this communication channel.
- ASRG will relay the vulnerability details, advise on potential remediation, and collaborate on a public disclosure timeline.
- If none of the involved parties requests another option, ASRG follows a 90-day responsible disclosure and remediation timeline. ASRG’s interest is it to grant the affected manufacturer a period of time for fixing the vulnerability and preventing any future damage for public consumers and the manufacturer itself before the information will be publicly announced. Furthermore, an extension of this time period can be provided at manufacturer’s request and depending on the severity or complexity of the disclosed vulnerability, ASRG is going to wait for the publication until an effective fix is available.
- If the affected manufacturer does not acknowledge or reply to the initial disclosure email within 30 business days of the original notification, ASRG resend the vulnerability details to the original point of contact of the manufacturer and at least one secondary contact, if a secondary contact is publicly available.
- If additional 10 business days elapse with no response from the manufacturer after the second notification (in total 40 business days since original notification), ASRG resend the vulnerability details not only to the previous two contacts, but also to confidential stakeholders like Auto-ISAC.
- In case the affected manufacturer does not respond to any of the three notification attempts within additional 10 business days following the third notification (in total 50 business days since original notification), or if the manufacturer indicates they do not wish to coordinate disclosure, ASRG may elect to issue a public advisory with no further collaboration after 90 days publication embargo.
- After receiving a statement from the affected manufacturer, ASRG will evaluate it together with the issue provider and decide for further steps depended on the response.
- ASRG will clarify together with the affected manufacturer and the issue provider what is the best way for everyone involved to publish the discovered vulnerability giving full credit to the originator of the issue.
- ASRG, as an officially recognized CVE Central Naming Authority (CNA), assigns a CVE to the vulnerability.
The affected manufacturer should acknowledge receiving of notifications to ASRG with the following details:
- first confirmation that the vulnerability information has been received
- a point of contact responsible for coordinating and tracking information on the provided issue within their company
- an estimation up to when the completion of the initial investigation will be completed
- a timeline needed for own investigations
- provide information updates
- if needed request official to extend the time period for fixing before publication
We greatly appreciate the efforts of different kind of dedicated people to discover security vulnerabilities and share this information in a trustful way. ASRG commit to respect the interest of the issue provider and can help to solve possible escalation situations.