Vulnerability disclosure policy

The investigation and exploitation of vulnerabilities is a strategy aimed at compromising the information and security of the systems affected. They are often used in the commission of economic crimes, theft of information or credentials, etc., although they have also been related to attacks on strategic infrastructures in several countries. It is therefore crucial to articulate procedures for vulnerability reporting and patching.

INCIBE-CERT has an established CVD (Coordinated Vulnerability Disclosure) policy that supports those who wish to provide information on vulnerabilities detected, both in INCIBE-CERT's own systems and in the systems of third parties, citizens and private entities in Spain.

For this reason, INCIBE-CERT provides support to those people who wish to provide information on vulnerabilities they have detected, and acts by anonymising the informant's data, unless the informant expressly indicates otherwise (at any time during the vulnerability management) or a judge so requires.

INCIBE-CERT acts as the Spanish CNA (CVE Numbering Authority) for vulnerability discovery and management practices, under the CVE programme. In addition to the work of coordinating and assigning CVE identifiers, INCIBE adopts the role of Root, taking on the coordination of possible CNAs under its scope. It is important to note that this CNA policy does not cover the notification of vulnerabilities observed on assets, when the identified vulnerability already has an assigned and published CVE. In these cases, you should refer to the incident reporting section of INCIBE-CERT.

INCIBE-CERT and INCIBE coordinate the documentation, disclosure and discovery of new vulnerabilities. Specifically, INCIBE has a scope over Spanish organisations due to its role as Root, and as a CNA actor it has the power to assign vulnerabilities related to its vulnerability coordination function on issues related to Industrial Control Systems (ICS), Information Technology (IT) and Internet of Things (IoT) at national level, and vulnerabilities reported to INCIBE by Spanish organisations and researchers that are not in the scope of another CNA, all under the CVE standard.

What is a vulnerability?

According to the definition of ENISA, a vulnerability is a weakness or a design or implementation error that can lead to an event that compromises the security of a device, operating system, network, programme or a protocol involved in any of the above.

What is not a vulnerability?

The scope of the definition of a vulnerability should not be confused with that of an incident, also defined by ENISA as an event that has been assessed as having an actual, or potentially adverse, effect on the security or performance of a system.

At INCIBE-CERT, we have a taxonomy for the classification of security incidents, and it includes different types of incidents related to identified or known vulnerabilities. Some examples of incidents caused by vulnerabilities are:

  • Attempted intrusion:
    • Exploitation of known vulnerabilities: attempt to compromise a system or interrupt a service by exploiting vulnerabilities with a standardised identifier (buffer overflow, XSS, backdoor, etc.).
    • Multiple access attempts with breach of credentials (brute force, password cracking...).
    • Unknown attack using exploit.
  • Intrusion:
    • Application compromise: is carried out by exploiting software vulnerabilities.
  • Availability:
    • DoS/DDoS by flooding a web application or service to slow down its operation or directly interrupt its service.
  • Vulnerable:
    • Publicly accessible services that may present weak cryptography (web servers susceptible to POODLE/FREAK, Heartbleed, FREAK attacks...).
    • DDoS amplifier: publicly accessible services that can be used for reflection or amplification of DDoS attacks, e.g. by leveraging the functionality of open DNS resolvers to overload a specific network or server with an amplified amount of traffic.
    • Vulnerable system for various reasons (poor proxy configuration in a Web Proxy Autodiscovery Protocol client, out-of-date system, lack of antivirus and/or firewall...).

Actions not allowed in the search for vulnerabilities

It is vital to act in accordance the applicable legislation, since notifying a vulnerability does not imply exemption from compliance. Also, looking for vulnerabilities cannot be used as a pretext to attack a system or any other target. Several actions are not allowed, for example:

  • using social engineering;
  • compromising a system and maintaining the access on a persistent basis;
  • tampering data accessed by means of exploitation of the vulnerability;
  • using malware;
  • using vulnerabilities for any purpose beyond proving their existence. To show the existence of the vulnerability non-aggressive methods can be used, for example by listing a system directory;
  • using brute force to gain access to systems;
  • sharing the vulnerability with third parties;
  • performing DoS or DDoS attacks.

In any case, the vulnerability should be reported as soon as it is detected and not exploited in any way.

Addressing vulnerabilities

When INCIBE-CERT receives a vulnerability notification, the first step is to check whether it is a new vulnerability in a product, or an end-user incident.

In the first case, when there is a new vulnerability in a product, the team CNA (CVE Numbering Authority) team of INCIBE-CERT manages those 0days or vulnerabilities not yet known by the manufacturer of the affected asset, which have not yet been assigned a CVE identifier. INCIBE-CERT's CNA coordinates the communication between the researcher and the owner of the affected product, performs the public disclosure of the new vulnerability and documents it as a new CVE.

For the second option, in the case of an end-user incident, the INCIBE-CERT incident management team would be responsible for triage and classification of the incident, notifying users affected/stakeholders and sharing technical details and solutions, all while respecting the anonymity of the investigator.

How to report a vulnerability?

New vulnerability

To report a potential CVE candidate to INCIBE-CERT's CNA team, please send an email to the mailbox Buzón CNA de INCBE-CERT., where you will be guided through the whole process of assigning and publishing the CVE.

It is advisable to transmit the information encrypted with the public PGP key associated with this mailbox (download public key).

For more details on how to contact INCIBE-CERT's CNA team and the process of assigning and publishing CVEs, please consult the INCIBE-CERT's page on the subject.

Security incident

In case you want to report an incident, please send an email to Buzón de INCIBE-CERT.. It is advisable to transmit the encrypted information with the PGP public key from the corresponding INCIBE-CERT mailbox.

The following information is required to report a vulnerability:

  • clear and detailed description of the vulnerability;
  • clear and detailed information on how the vulnerability was discovered. The aim is to be able to reproduce it.

Other information may be useful when reporting the vulnerability:

  • proof of the existence of the vulnerability (screenshot, link, etc.);
  • timeline or temporal information on when the vulnerability was discovered;
  • any information you consider necessary to locate and resolve the vulnerability as quickly and efficiently as possible.

Once the notification has been received, INCIBE-CERT will confirm its receipt and start communicating with the interested party. To this end, INCIBE-CERT has a team that operates continuously on a 24x7 (24 hours a day, 7 days a week) basis and has sufficient procedures in place to report vulnerabilities by e-mail or telephone.

If the vulnerability involves a critical infrastructure operator, INCIBE-CERT also has a number of different contact points –by virtue of its signed agreements with the operators– to facilitate communication and ensure that the notification has been correctly received. In addition, its specialised technical team offers support to mitigate and resolve the vulnerability as soon as possible.

Compensation, rewards and acknowledgement

INCIBE-CERT sincerely appreciates and values the work of vulnerability reporters, but does not have the capacity to financially reward their work.

However, INCIBE-CERT is authorised, in its role as CNA, to publish the corresponding notice in the section of CNA.

In addition, INCIBE-CERT manages a hall of fame of researchers who have participated in the CVE programme coordinated by CNA, so that their discovery in the field of security is recorded, accepting to be mentioned in this list, as a way of recognition and acknowledgement.