In general, ENISA advises parties to process signalled vulnerabilities and incidents with affected vendor or manufacturer (i.e., vulnerability owner) in a cooperative and coordinated manner under the principles of Responsible / Coordinated Vulnerability Disclosure.
In its role as the secretariat of the EU CSIRTs network, ENISA supports the network members in tackling vulnerabilities detected or signalled by third parties, involving clients, peers and other companies from target groups as well as those from other CSIRTs and trusted peers from scientific and research branches.
As such, ENISA may register vulnerabilities and support vulnerability disclosure in relation to
- vulnerabilities in IT products discovered by EU CSIRTs
- vulnerabilities reported to EU CSIRTs for coordinated disclosure, which are not already in another CNA’s scope
In line with reporting a discovered vulnerability and facilitating the start of a vulnerability disclosure process the reporters’ first attempt would be to reach out to the vulnerability owner, expecting a prompt response and a collaborative approach to address the identified vulnerability. When a situation occurs in which the vulnerability owner cannot be directly contacted, is not acting according to the researcher’s expectations (e.g., is not willing or not ready to remediate the reported vulnerabilities comprehensively) as well as when a reporter wants to keep its anonymity or doesn’t pay respect to responsible disclosure standards (in case the vendor or system owner affected by the discovered vulnerability already has a published organisational vulnerability disclosure policy, it is recommended to make sure the disclosure steps are compliant to these requirements), the intervention of a coordinator can help to establish and maintain a constructive relationship between the parties.
EU MS national CVD policies imply a coordinating role for the designated CSIRT(s), acting as a trusted intermediary and facilitating, where necessary and upon the request of either party, the interaction between the concerned stakeholders. Those coordination tasks include identifying and contacting the entities concerned, assisting the natural or legal persons reporting a vulnerability, and negotiating disclosure timelines and managing vulnerabilities that affect multiple entities. The same provision also requires Member States to ensure that natural or legal persons are able to report, anonymously where they so request, a vulnerability to the designated CSIRT(s). The respective CSIRT(s) shall ensure that diligent follow-up action is carried out with regard to the reported vulnerability, ensure the anonymity of the natural or legal person reporting the vulnerability and, where appropriate, cooperate with other CSIRTs designated as coordinators within the EU CSIRTs Network.
The most suitable contacts of EU Member States’ appointed CSIRTs are available via the CVD policies published under their specific national frameworks. An overview of EU CSIRTs network members’ published CVD policies and existing CVE Numbering Authorities is available at https://github.com/enisaeu/CNW#vulnerability-disclosure-policies
Regarding the reporting of vulnerabilities to an EU Member States’ appointed CSIRT under a national CVD framework, a report should include at least the following information, when available:
- Asset or control where the vulnerability is found (web page, IP address, product or service name)
- The version of the product on which the vulnerability is present, or the specific configuration of the product that is vulnerable
- Discovered weakness (such as a CWE)
- The severity of the vulnerability (e.g., using CVSS to calculate)
- A detailed description of the vulnerability, including the following information
- A summary of the vulnerability
- Required steps to reproduce the vulnerability
- Required configuration to reproduce the vulnerability
- Possible mitigation measures for the vulnerability
- Potential impact of the vulnerability
- Whether the vulnerability has already been reported to the product manufacturer
- Whether a request for a CVE number has been made
- Contact information, including secure communication options (PGP fingerprint, etc.)
- Any other important information related to the discovered vulnerability
Several documents supporting CVD practices are available below:
- Contact list of EU CSIRTs Network members, https://csirtsnetwork.eu/#network_members
- “Guidelines on Implementing National Coordinated Vulnerability Disclosure Policies”, NIS Cooperation Group, 2023, https://ec.europa.eu/newsroom/dae/redirection/document/99973
- “Developing National Vulnerabilities Programmes – Challenges and Initiatives”, ENISA, February 2023, https://www.enisa.europa.eu/publications/developing-national-vulnerabilities-programmes
- “Coordinated Vulnerability Disclosure Policies in the EU”, ENISA, April 2022, https://www.enisa.europa.eu/publications/coordinated-vulnerability-disclosure-policies-in-the-eu
- “Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations”, ENISA, January 2018, https://www.enisa.europa.eu/publications/vulnerability-disclosure