ICS-CERT Vulnerability Disclosure Policy

ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected vendor.

An appropriate timeframe for mitigation development and the type and schedule of disclosure will be determined based on the factors involved.  Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to an established standard may result in earlier or later disclosure. Other factors include

The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter. ICS-CERT will advise the reporter of significant changes in the status of any vulnerability reported to the extent possible without revealing information provided in confidence by the vendor.

Affected vendors will be apprised of any publication plans, and alternate publication schedules will be negotiated with affected vendors as required.

UPDATE!  In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for remediation, ICS-CERT may disclose vulnerabilities 45 days after the initial contact is made, regardless of the existence or availability of patches or workarounds from affected vendors.

It is the goal of this policy to balance the need of the control system community to be informed of security vulnerabilities with the vendors' need for time to respond effectively. The final determination of the type and schedule of publication will be based on the best interests of the community overall.

The ICS-CERT vulnerability remediation process involves five basic steps:

  1. Detection/Collection—ICS-CERT collects vulnerability reports in three ways: ICS-CERT vulnerability analysis, monitoring public sources of vulnerability information, and direct notification of vulnerabilities to ICS-CERT. After receiving a report, ICS-CERT does an initial surface analysis to eliminate duplicates and false alarms. ICS-CERT then catalogs the vulnerabilities, including all of the information (public and private) that is known at that point.
  2. Analysis—Once the vulnerabilities are catalogued, vendor and ICS-CERT analysts work to understand the vulnerabilities by examining and identifying the issues, as well as the potential threat. ICS-CERT analysis may involve testing the vulnerability using the Advanced Analytical Lab, doing necessary research and working directly with the affected vendor.
  3. Mitigation Coordination—After analyzing a vulnerability, ICS-CERT will continue to work with the vendor for mitigation and patch issuance.  ICS-CERT has established secure and trusted partnerships with control systems vendors for vulnerability disclosure and overall technology assessment and testing functions.  ICS-CERT will work with the vendors to allow sufficient time to effectively resolve and perform patch regression testing against any given vulnerability. Additionally ICS-CERT has experience successfully coordinating response to vulnerabilities that affects multi-vendor products.
  4. Application of Mitigation—ICS-CERT will work with the vendor to allow sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to disclosure.
  5. Disclosure—After coordinating with vendors and gathering technical and threat information, ICS-CERT will take appropriate steps to notify end users about the vulnerability. ICS-CERT strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation for asset owners and operators.  ICS-CERT will reference other available information and correct misinformation when possible.

To report a vulnerability to ICS-CERT, please email ics-cert@dhs.gov or call 1-877-776-7585.  When sending sensitive information to ICS-CERT via email, we encourage you to encrypt your messages.

Download the public key.