Responsible Disclosure Policy

Version 1.0 | Last updated February, 2023

CyberDanube is an Austrian company that uses self-developed technologies for services in the industrial sector. Starting from the core activity of developing and implementing solutions for information security, CyberDanube offers customers complementary services and expertise in defined areas. CyberDanube’s research division, CyberDanube Security Research, conducts in-depth security research mainly focused on networked industrial equipment. Identified vulnerabilities in such devices are handled carefully and aimed to be disclosed responsibly to the public.
As the highest good is the privacy of our customers, CyberDanube Security Research is not disclosing any vulnerabilities that have been found during an engagement or by a software product from CyberDanube.

Responsible Disclosure Process

CyberDanube is following best practices of the security industry. Therefore, our responsible disclosure process is based on Google’s vulnerability disclosure policy (https://about.google/appsecurity/). We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. Therefore, CyberDanube adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. That deadline can vary in the following ways:

• If a deadline is due to expire on a weekend or Austrian/US public holiday, the deadline will be moved to the next normal work day.
• Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
• When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
• We reserve the right to extend or cut deadlines in reasonable cases. Shifted deadlines are communicated to the vendor, with no exceptions.

 

If you have questions or comments about this notice, you may email us at office [at] cyberdanube.com or by mail to:

CD Security Technologies GmbH
Hohenauergasse 21A/1
Vienna, 1190
Austria