Introduction

CTA has adopted a vulnerability communication policy to ensure that CTA members responsibly handle disclosed vulnerabilities in any product or system in a manner that optimises secure outcomes. This policy aligns with industry best practices set by U.S. and international government agencies, including the US Cybersecurity & Infrastructure Security Agency (CISA).  

Vulnerabilities in context

All software and hardware products, including cybersecurity systems, contain vulnerabilities exploitable by malicious actors. When such vulnerabilities are discovered, researchers should explore the flaw, discuss it, and determine how adversaries could use it. The cybersecurity industry should rapidly disseminate information about the vulnerability and any associated exploitations, patches, or mitigations. These actions are needed to protect end users and the ecosystem.  However, using such disclosures for marketing purposes is counterproductive, reducing the incentive to self-identify and disclose vulnerabilities pre-emptively and reducing trust among users and defenders.

Core Values

CTA members have agreed to operate according to the following principles with respect to handling vulnerabilities post-disclosure.  CTA members will:

  • Integrity: Act with honesty and transparency with the goal of a secure outcome for the end user.
  • Accountability: Take responsibility for actions and are accountable to stakeholders.
  • Collaboration: Work with the global cyber security community, advance industry resilience, and minimize the risk of vulnerability exploitation.
  • Good Faith: Act as if the organization disclosing a vulnerability is operating in good faith, unless clear evidence emerges to the contrary.
  • Benevolence: Publish research regarding vulnerabilities in other vendors’ products for the purpose of increasing the security of the digital ecosystem.

Definitions

For purposes of this policy, CTA uses the following definitions:

  • Vulnerability: A vulnerability is a set of conditions or behaviours that affects the confidentiality, integrity or availability of a system or its critical data. Vulnerabilities can be caused by software defects, configuration or design decisions, unexpected interactions between systems, or environmental changes.
  • Vulnerability Exploitation: Use of a vulnerability to achieve an impact on the confidentiality, integrity or availability of a system or data.
  • Public Disclosure:  A vulnerability is “disclosed” when it has gone through a coordinated vulnerability disclosure process and/or has become broadly known within the cybersecurity community.

Standards of Conduct

Integrity and Honesty

  • Communications regarding vulnerabilities should be clear, concise, accurate, and competitively neutral. Vulnerability references should include links to the vendors patch advisory and remediation/best practice guides.
  • CTA member companies should not use a disclosed vulnerability in a competitor’s product for commercial advantage through sales and marketing activities, nor should they take actions that disincentivize vendors from disclosing vulnerabilities in their products.
  • CTA member companies should describe vulnerabilities in competitor’s products using industry-accepted terminology. For example, when patches are available for a vulnerability, it should be referred to as an ‘N-day,’ not a zero day.

Transparency

  • CTA member companies should publish research about how malicious actors are exploiting disclosed vulnerabilities in competitor’s products, provide mitigation guidance when available, and share useful information with the safety of users in mind.
  • CTA member companies should provide notice to a competitor regarding research into exploitation of a vulnerability in a competitor’s product no less than 48 hours before publishing the analysis.  When a member shares its pre-publication analysis of a vulnerability privately or using the Traffic Light Protocol, recipients should protect the shared information appropriately.

Media and Conference Engagement

  • When engaging with media, members should focus on technical aspects of the vulnerability and associated exploitation and the steps needed to mitigate it. 
  • Members should not over-sensationalize a vulnerability and associated exploit when talking with the media or presenting at conferences. 

Standards of Care

  • CTA member companies should regularly review their products for vulnerabilities and use a coordinated vulnerability disclosure process to address them when identified.
  • CTA member companies should issue, or request to be issued, a Common Vulnerability and Exposure (CVE) number for all vulnerabilities.
  • CTA member companies should be transparent in disclosing vulnerabilities, assess all bugs for exploitation potential, and treat them as vulnerabilities where appropriate.
  • CTA member companies should accurately use industry standard CVSS scoring to assess the severity of vulnerabilities and include Common Weakness Enumeration (CWE) in all CVEs/vulnerability notifications.