Home / What Is Incibe Cert / Vulnerability disclosure policy

Vulnerability disclosure policy

The research and exploitation of vulnerabilities is a strategy designed to compromise the information and security of affected systems. Is usually used in the commission of economic crimes, information theft, credentials harvesting, etc., although they have also been involved in attacks on strategic infrastructures in several countries. It's crucial, therefore, articulate ways for notification and patching of vulnerabilities.

For this reason, INCIBE-CERT provides support to those who want to provide information of vulnerabilities detected in either INCIBE-CERT or third party systems. In addition, INCIBE-CERT anonymizes the personal data of the reporter, unless he explicitly indicates otherwise (at any time during the managing process of the vulnerability) or if a judge requires it.


What is a vulnerability?

According to the ENISA, a vulnerability is The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the computer system, network, application, or protocol involved.


Actions not allowed in the search of vulnerabilities.

It's very important to take into account the respect for the law. Reporting a vulnerability does not imply being exempt from compliance. Vulnerability scanning could not serve as a pretext for attacking a system or any other target. Several actions must be avoided. For example:

  • Using social engineering
  • Compromising the system and persistently maintaining access to it
  • Changing the data accessed by exploiting the vulnerability.
  • Using malware
  • Using the vulnerability in any way beyond proving its existence. To demonstrate that the vulnerability exists, the reporter could use non-intrusive methods. For example, listing a system directory.
  • Using brute force to gain access to systems
  • Sharing vulnerability with third parties
  • Performing DoS or DDoS attacks

Anyway, the vulnerability should be reported as soon as it is detected and must not be exploited in any way.


How to report a vulnerability?

Send an email to Buzón de INCIBE-CERT.. It is advisable to transmit the information encrypted with the public PGP key of the corresponding mailbox of INCIBE-CERT.

The following information is required to report a vulnerability:

  • Clear and detailed description of vulnerability
  • Clear and detailed information of how the vulnerability has been discovered. The objective is to be able to reproduce it.
  • Other information may be useful when reporting the vulnerability:
  • Proof of the existence of the vulnerability (screenshot, link, etc.)
  • Timeline or some information about the moment the vulnerability was discovered.
  • Any type of information deemed necessary to locating and resolving the vulnerability in the fastest and most efficient way possible.

Once the notification is received, INCIBE-CERT will confirm receipt and begin communication with the interested party. In order to perform the management, INCIBE-CERT has a team that operates continuously in 24x7 format (24 hours, 7 days a week) and has enough procedures to communicate the vulnerabilities through email or telephone.

If the vulnerability involves a Critical Infrastructure Operator, INCIBE-CERT also has different contact points – based on its agreements with operators - to facilitate communication and ensure that the notification has been correctly received. In addition, its specialized technical team offers support to mitigate and resolve the vulnerability as soon as possible.

Once the vulnerability is communicated, periodic follow-ups are carried out until the standard term set by the INCIBE-CERT finishes: 45 days and a grace period of 15 days, if the vulnerability is considered to require more time for its solution. During the process, INCIBE-CERT could contact the person who reported the vulnerability requesting more information if necessary or to inform him about the vulnerability status if circumstances permit.

INCIBE-CERT thanks the notification of the vulnerabilities with sufficient time to advice the affected and take part of its solution, if necessary, before making them public. Whether the management of the vulnerability is successful, or if the responsible for managing the vulnerability has not taken sufficient measures to remedy it within 60 days (45 days plus the 15-day grace period, if applicable), INCIBE-CERT will issue a notice publishing the vulnerability together with the reporter, if he wants.


Awards, rewards and thanks

INCIBE-CERT sincerely thanks and appreciates the work of the vulnerability reporter, but does not have the capacity to economically reward its work.

However, if the person reporting the vulnerability desires, INCIBE-CERT will offer its usual communication channels as a promotion for the disclosing of the vulnerability. In addition, if the affected by the vulnerability wants to gratify the reporter in some way, INCIBE-CERT will facilitate the communication between both so that everything is as simple and agile as possible.