Submission Policy, Vulners

Objective

Our vulnerability submission policy is designed to achieve two main objectives:

• To provide vendors with a reasonable timeframe to address reported vulnerabilities.
• To offer the security community and affected users accurate, useful, and actionable vulnerability information.

Vulnerability Reporting

Users can submit new vulnerabilities through [email protected] email. By submitting vulnerabilities, they agree to this Submission Policy.

Submission Requirements

Submissions must include the following details:

• Vendor Name
• Product Name
• Affected Versions
• Vulnerability Class as CWE

Providing detailed summaries, exploit details, screenshots, and videos helps expedite the validation process.

Disclosure Timeline

• Initial Review: Submitted vulnerabilities are typically reviewed within 2-5 business days.
• Coordination: If coordination with an external party (e.g., vendor) is required, processing may exceed 7 days.

Quality Control

The moderation team aims for high-quality entries and data. This may require additional communication and validation time. If the standard disclosure timeline cannot be met, users will be informed of the new timeline via email.

Coordinated and Responsible Disclosure

Our coordinated disclosure process is as follows:

• Vendor Notification: Vulners contacts the affected vendor with vulnerability details and provides a 120-day deadline to address the issue or publish an advisory.
• Customer Information: Vulners may share vulnerability details with customers to enable defensive measures while awaiting an official patch.
• Ongoing Communication: Regular contact is maintained with the vendor to coordinate the publication date for advisories.
• Simultaneous Disclosure: On the day the vendor releases a patch or advisory, Vulners will publish a third-party vulnerability advisory.
• Uncoordinated Disclosure: If the vendor fails to respond within 120 days, Vulners will publish an uncoordinated third-party advisory.

CVE Assignment

If a submission does not have an assigned CVE, Vulners will assign one following the general CNA Rules, provided it is not within another CNA's scope. If necessary, coordination with the relevant CNA will be undertaken, potentially causing delays.

Communication

All communications regarding submissions are conducted via email. Users will receive updates on the status of their submission and any decisions made by the moderation team.

Embargo

All submission details and communications are confidential until the vulnerability is disclosed. If accepted, the submission details will become public. Rejected submissions remain confidential and inaccessible to the public.

Acceptance and Publication

Accepted submissions will result in a new entry being created, listing the submitting user as the researcher or submitter. Users can request anonymity.

Handling Multiple Vulnerabilities

• Splits: Submissions with multiple vulnerabilities will be split into separate entries.
• Merges: Duplicate submissions will be merged with existing entries, crediting the reporting user as a contributor.

Disputes

If a third party disputes a vulnerability disclosure, they must provide a clear rationale and technical proof. Valid disputes will result in the entry being flagged accordingly. Vulners cannot dispute CVEs issued by other CNAs.

Rejections

Submissions not qualified as new vulnerabilities will be rejected, with an explanation provided to the user. Common reasons include spam, false positives, and invalid data. Rejected entries are flagged, and any associated CVEs issued by Vulners will be revoked.

Weak Submissions and Blacklisting

Users providing weak submissions or abusing the system may face decreased priority, temporary submission limits, or permanent blacklisting. Details of any limitations will be communicated via the email.

Policy Flexibility

Vulners reserves the right to modify or deviate from this policy as necessary.