Home / Report a vulnerability

Report a vulnerability

Detection, research and elimination of vulnerabilities in software and hardware solutions shall be carried out in close coordination between the researcher who has detected the vulnerability (hereinafter referred to as “Researcher”), a coordination center (hereinafter referred to as “Coordinator”) and the producer (hereinafter referred to as “Producer”) of software or software and hardware solutions in which the vulnerability has been detected (hereinafter referred to as “Product”). This process shall take place in accordance with the principles of responsibility and full disclosure.

 

When detecting and eliminating vulnerabilities, KL-ICS-CERT acts as Researcher and Coordinator. As a Researcher, KL-ICS-CERT shall initiate and carry out product research in order to detect and analyze potential vulnerabilities. As a Coordinator, KL-ICS-CERT shall analyze information about a vulnerability in the Producer’s Product presented by the Researcher, verify that information and transfer it to the Producer, as well as deal with the Producer to eliminate any vulnerabilities detected.

 

Objectives

 

This document sets forth the procedure and policy for the processing of information about Product vulnerabilities that have come to KL-ICS-CERT’s knowledge. The major purpose of this process is to enhance the security of owners and users of industrial site automation systems against cyber attacks. To this end, KL-ICS-CERT cooperates with the Producer facilitating early development of a Product update to eliminate any vulnerabilities and develop the required safeguards.

 

Limitations

 

The objectives of this policy, which lays out the vulnerability disclosure procedure, shall not apply to vulnerabilities detected in:

  • the policies, processes, procedures and unique Product configuration in the User infrastructure;
  • unique software tools and software and hardware solutions designed in accordance with the requirements and at the request of a sole customer and operated by a sole User.

If information about a vulnerability has been received by KL-ICS-CERT from employees of Kaspersky Lab and the vulnerability itself has been detected while Kaspersky Lab employees have been conducting work under the User’s contract with the intention of detecting this type of vulnerability in that particular Product, and the provisions of the Policy are in conflict with the terms explicitly stated in the contract between Kaspersky Lab and the User, the corresponding contract terms shall apply to KL-ICS-CERT vulnerability disclosure.

 

Elimination of vulnerabilities in KL-ICS-CERT

 

Elimination of vulnerabilities in KL-ICS-CERT is subdivided into the following stages: (1) Vulnerability detection → (2) Vulnerability analysis → (3) Coordination of vulnerability elimination → (4) Vulnerability disclosure.

 

1) Vulnerability detection

 

KL-ICS-CERT receives information about a vulnerability as follows:

  1. Product research performed by KL-ICS-CERT employees, for instance, at the request of the User or Producer;
  2. from third-party Researchers, including Kaspersky Lab employees;
  3. from open sources.

2) Vulnerability analysis

 

When KL-ICS-CERT specialists receive information about a vulnerability, they carry out an initial vulnerability analysis in order to provide a reliable description of the detected vulnerability in terms of the following parameters (features):

  • description of vulnerability: short description of the detected vulnerability;
  • environment: information about the conditions under which the vulnerability was detected (software or firmware version in which the vulnerability was detected, as well as any special information about the configuration);
  • technical details: extended description of the vulnerability;
  • impact on security: evaluation of the vulnerability’s impact on overall Product security (e.g. according to the STRIDE model);
  • criticality of the vulnerability: potential consequences of vulnerability exploitation;
  • software demonstrating the actual or potential functionality to exploit the vulnerability (Proof of Concept, hereafter referred to as POC);
  • Contact information of Researcher who detected the vulnerability.

The progress of the initial analysis depends on the source of information about the vulnerability.

 

Information about vulnerabilities detected by employees of KL-ICS-CERT or Kaspersky Lab, or received from the Producer is considered to be reliable. The information is verified to ensure it is complete. If necessary, the Product in which the vulnerability was detected is analyzed in order to finalize details or to obtain missing data.

 

Information about a vulnerability received from a third party or from open sources is considered unreliable. This information undergoes a comprehensive review. If necessary, the Product in which the vulnerability was detected shall be analyzed.

 

In some cases, to determine the complete set of conditions under which the vulnerability was detected, for a more accurate description of the technical details, and to assess the vulnerability’s impact on Product security, part of the information received by KL-ICS-CERT in the course of vulnerability analysis may be transferred to the Researcher.

 

Under no circumstances shall software demonstrating the actual or potential functionality to exploit the vulnerability (POC), developed by KL-ICS-CERT specialists in the course of vulnerability analysis, be transferred to the Researcher.

 

Information received about a vulnerability is recorded in an internal KL-ICS-CERT database; an internal ID is allocated to the vulnerability:

  • KL_ICS_ID – unique vulnerability ID in format KL_ICS_yyyy_xxxx (prefix_year_number), e.g. KL_ICS_2016_0104.

If initial information about the vulnerability was received from a third party, a brief research report confirming or refuting the existence of the vulnerability and the vulnerability ID in KL-ICS-CERT database shall be transferred to the Researcher.

 

3) Coordination of vulnerability elimination

 

Following vulnerability analysis, KL-ICS-CERT gives full information about the vulnerability to the Producer. Additionally, the Producer shall be given the contact information of the Researcher who detected the vulnerability.

 

Further, in order to develop safeguards and remedy Product vulnerability, KL-ICS-CERT shall work with the Producer, and in some cases with the Researcher.

 

A major objective of KL-ICS-CERT is to test the Product update developed by the Producer and any additional recommended safeguards. In some cases (e.g. at the Producer’s request), KL-ICS-CERT may act as a consultant suggesting various options to the Producer to rectify the vulnerability and the list of additional safeguards. KL-ICS-CERT reserves the right to refuse to fulfill this role without explanation.

 

In the course of cooperation with the Producer, KL-ICS-CERT may change or specify information about the vulnerability, if necessary.

 

Upon notifying the Producer about a detected vulnerability and having transferred detailed information about the vulnerability to the Producer, KL-ICS-CERT shall estimate the maximum time required to remedy the vulnerability and to disclose the vulnerability based on such characteristics as ease of use of the vulnerability and the severity of the consequences of its possible use. This timeframe shall be coordinated with the Producer in order to account for time objectively required by the Producer to develop a public update for the Product or the list of safeguards. However, KL-ICS-CERT reserves the right to estimate independently the maximum time before disclosing the vulnerability, if KL-ICS-CERT’s assessment of the possible consequences of the vulnerability exploitation means that information about the vulnerability cannot be kept secret for the time required by the Producer to develop a public Product update or the list of safeguards, or if the Producer does not state the time it needs to develop a public Product update or the list of safeguards within 30 days of receiving the information about the vulnerability, or if within 30 days of the information about a vulnerability being received KL-ICS-CERT employees for objective reasons cannot contact the Producer (e.g. the Producer’s website is unavailable, there is no publicly available contact information, or for other reasons beyond KL-ICS-CERT control). The estimated minimum time before vulnerability disclosure is 45 days from the moment information about the vulnerability is transferred to the Producer.

 

The result of working with the Producer includes a final precise vulnerability description, a list of measures to remedy the vulnerability and the maximum estimated time before vulnerability disclosure.

 

If it is found that a vulnerability affects the products of several Producers, KL-ICS-CERT shall transfer information about the vulnerability to each of the Producers identified.

 

4) Vulnerability disclosure

 

Before the release of a public Product update or the list of safeguards to defend against exploitation of a particular vulnerability, KL-ICS-CERT shall retain the right to use vulnerability information in the following instances:

  • to develop its own safeguards and tools that are not the part of the Product;
  • to develop protective technologies in Kaspersky Lab products that detect and prevent possible attacks that make use of that particular vulnerability;
  • when auditing and surveying infrastructure security status at the request of a User (in this case, the User shall only be informed of the vulnerability presence, its severity, the status of work to remedy the vulnerability and offered a list of additional safeguards).

Following the release of a public Product update or development of a list of safeguards against the exploitation of a particular vulnerability or following the expiry of the maximum time set for vulnerability disclosure, KL-ICS-CERT shall retain the right to disclose the vulnerability in order to notify the User (including potential Users) about the presence of the vulnerability and the need to implement the recommended safeguards.

 

A vulnerability may be disclosed as follows:

  • publication on the official KL-ICS-CERT website;
  • notification of Clients and other stakeholders through direct emails;
  • transfer of information about the vulnerability to public authorities and international organizations that coordinate efforts aimed at the provision of information security for industrial enterprises;
  • use of information about the vulnerability in official KL-ICS-CERT training materials and manuals;
  • use of information about the vulnerability during audits and surveys of infrastructure security, at a User’s request;
  • in other cases at the request of a User.

At the same time KL-ICS-CERT:

  • shall provide information about a vulnerability that focuses on the technical information and ways to remedy the vulnerability;
  • shall not provide the User or third parties, except for the Producer, with software demonstrating the actual or potential functionality to exploit the vulnerability (POC).

 

Guarantee of confidentiality

 

All information about vulnerabilities transferred to KL-ICS-CERT by a Researcher and Producer as well as that received in the course of vulnerability analysis performed by KL-ICS-CERT shall be treated as confidential and stored and processed in compliance with information security policies adopted in Kaspersky Lab that apply to all Kaspersky Lab employees including KL-ICS-CERT.

 

In the course of vulnerability analysis and coordination of troubleshooting, KL-ICS-CERT advises the Researcher on significant changes in the status of processing vulnerability information without disclosing any information provided in confidence by the Producer.

 

If the Researcher explicitly requests KL-ICS-CERT to withhold his name or other contact information, that information shall not be transferred to the Producer or mentioned in any publically available imaterials released by KL-ICS-CERT.

 

As a part of vulnerability disclosure, KL-ICS-CERT publishes all relevant technical information apart from the software demonstrating the actual or potential functionality to exploit the vulnerability (POC).

 

If KL-ICS-CERT or the Producer cannot come to an agreement on the vulnerability description, the vulnerability information shall be disclosed; data transmitted by the Producer to KL-ICS-CERT shall not be disclosed, but the main differences between KL-ICS-CERT and the Producer shall be recorded in the vulnerability description.

 

Contact information

 

You can report vulnerabilities to KL-ICS-CERT by email at ics-cert@kaspersky.com or by phone: 1-866-323-4801, Option #3 (Business Product Support, open 9am to 8pm UTC-5). When sending emails, we recommend encrypting messages using a public key: .

Report incident

For all requests please email ics-cert@kaspersky.com or contact one of our regional offices by phone: