WHAT IS RESPONSIBLE VULNERABILITY DISCLOSURE?
Responsible vulnerability disclosure is a process that allows security researchers to safely report and share found vulnerabilities in ICT system belonging to government and other business or private organisations operating in Pakistan, to our team.
Our vulnerability disclosure program makes it easier for security researchers to know exactly how to share vulnerabilities in applications and infrastructure in a safe and efficient manner. We help Pakistani organisations by creating and managing a responsible disclosure program on their behalf which can help them improve their cyber security posture and protect the digital ecosystem in Pakistan.
MANAGED VULNERABILITY DISCLOSURE (MVD) – Pakistan
To help Pakistani organizations and businesses adopt responsible disclosure, we’ve developed an responsible disclosure policy your team can utilize for free. Implementing a responsible disclosure policy will lead to a higher level of security awareness for your team. Bringing the conversation of “what if” to your team will raise security awareness and help minimize the occurrence of an attack. Whether you have an existing disclosure program or are considering setting up your own, Tier3 works alongside with disclosure.pk – The largest hacking community in Pakistan. This helps us in analyzing the tactics, techniques, and procedures (TTPs) used by the potential threat actors to identify patterns of behavior and commonalities between different incidents that can help streamline submissions and manage your program for you.
Our Managed Vulnerability Disclosure Program amplifies and extends your security capabilities and reduces risk many fold. With a VDP, you invite the world to report critical vulnerabilities they find in your systems. Tier3 provides end-to-end management for vulnerability submission, triage, validation, SDLC integration, and remediation. In short,we remove virtually all the overhead for your security team so they can focus on resolving validated issues sooner.
COORDINATED VULNERABILITY DISCLOSURE (CVD) – Pakistan
Tier3 CVD program helps Pakistani organisations to coordinate the process of addressing and making public any newly discovered cybersecurity vulnerabilities in their products or services, working with the vendor or service provider affected. This includes vulnerabilities in industrial control systems, Internet of Things devices, medical devices, and traditional IT systems. The objective of the program is to ensure that Tier3, the vendor, and the person who reported the vulnerability all disclose the information simultaneously, providing clear and actionable guidance to users and administrators in a timely manner.
Our coordinated vulnerability disclosure process involves five basic steps:
- Collection Of Information: Tier3 collects vulnerability reports in three ways: Tier3 vulnerability analysis, monitoring public sources of vulnerability information, and direct reports of vulnerabilities to Tier3 . After receiving a report, Tier3 performs an initial analysis to assess a vulnerability’s presence and compare with existing reports to identify duplicates. Tier3 then catalogs the vulnerability report, including all information that is known at that point.
- Analysis of Vulnerability: Once the vulnerability reports are catalogued, vendor(s) and our analysts work to understand the vulnerabilities by examining the technical issue and the potential risk the vulnerability represents.
- Mitigation and Coordination: After analyzing a vulnerability, we will continue to work with the affected vendor(s) for mitigation development and the issuance of patches or updates.
- Application of Mitigation: When possible and where necessary, we may work with vendor(s) to facilitate sufficient time for affected end users to obtain, test, and apply mitigation strategies prior to public disclosure.
- Disclosure: In coordination with the source of the vulnerability report and the affected vendor(s), we will take appropriate steps to notify users about the vulnerability via multiple channels. Tier3 strives to disclose accurate, neutral, objective information focused on technical remediation and mitigation for asset owners and operators. We will make references to available related information and correct misinformation where necessary.
Typical Vulnerabilities Accepted:
- OWASP Top 10 vulnerability categories
- Other vulnerabilities with demonstrated impact
Typical Out of Scope:
- Theoretical vulnerabilities
- Informational disclosure of non-sensitive data
- Low impact session management issues
- Self XSS (user defined payload)
- Incomplete or missing SPF/DMARC/DKIM records
- Issues related to password/credential strength, length, lockouts, or lack of brute-force/rate limiting protections
Additional specific vulnerability types considered out of scope due to low impact:
- IIS Tilde File and Directory Disclosure
- SSH Username Enumeration
- WordPress Username Enumeration
- SSL Weak Ciphers/ POODLE / Heartbleed
- CSV Injection
- PHP Info
- Server-Status if it does not reveal sensitive information
- Snoop Info Disclosures
Responsible Vulnerability Disclosure – Pakistan
We take the security of systems, products, employees and customers’ information in Pakistan seriously, and we value the security of our local Pakistani community. We appreciate and encourage security researchers to contact us to report potential vulnerabilities identified in any product, system, or asset belonging to Pakistani Corporate, Government Institutes and local Pakistani affiliate companies. If you believe you have identified a potential security vulnerability in ICT system belonging Pakistani Govt or Business entity operating or based in Pakistan, please submit it pursuant to our Responsible Disclosure Program.
Responsible Vulnerability Disclosure Program – Guidelines
We require that all researchers:
- Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction of data during security testing;
- Do not engage in any activity that can potentially or actually cause harm to local Pakistani Companies, their customers, or employees;
- Do not initiate a fraudulent financial transaction;
- Do not store, share, compromise or destroy customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact us. This step protects any potentially vulnerable data, and you;
- Do not engage in any activity that violates (a) Pakistan state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity;
- Perform research only within the scope set out below;
- Use the identified communication channels to report vulnerability information to us; and
- No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
- Keep information about any vulnerabilities you’ve discovered confidential between yourself and Tier3 Pakistan.
- Leave your contact details so that we can contact you later. At least an email address or telephone number.
What not to do
- Send malware;
- Copy, change, or delete data in the ICT system concerned (as an alternative, you can create a directory listing of the system);.
- Change the system;
- Repeatedly visit the system or share access with others;
- Use ‘brute force’ to open the system;
- Try denial of service or social engineering.
What to expect
- When you report the security flaw, check that you comply with the conditions described above. If you do so,Tier3 and concerned organisation will not attach any legal consequences to your notification.
- We treat the notifications received confidentially. We do not share your personal details with third parties without your permission unless required to do so by law or a court order.
- We will, if you wish, mention your name as the one who discovered the security flaw.
- We will send you an acknowledgement of receipt within one working day.
- We will respond to your notification within three working days. Our response will contain an assessment of your notification and the date on which it expects to remedy the flaw.
- We will keep you – as the one who discovered the flaw – informed of the progress made in remedying it.
- We will remedy the flaw as soon as possible, certainly no later than 60 days after receiving the notification. Tier3 will work with you to determine whether and, if so, how the flaw reported is to be made public. It will not be made public until after it has been remedied.
- Tier3 will will mediate between you and the body or organisation concerned and try to get you a reward as acknowledgement of your assistance.
Vulnerability Disclosure Process
- Let us know as soon as possible upon discovery of a potential security issue , and we’ll make every effort to quickly resolve the issue;
- Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party;
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Tier3 recognizes and rewards security researchers who help us keep Digital Pakistan safe by reporting vulnerabilities in services , internet systems and other ICT assets operation in Pakistani IT ecosystem.
- Monetary bounties for such reports are entirely and solely at discretion, based on risk, impact, and other factors.
- To potentially qualify a bounty, you first need to follow the requirements and adhere to Responsible Disclosure Program.
- We investigate all valid reports. In case found qualified, we award a bounty to the first person to submit an issue.
- Bounty amounts determined based on a variety of factors, including but not limited to impact, ease of exploitation, and quality of the report.
- If we pay a bounty, the minimum reward is 5000 PKR. Note that extremely low-risk issues may not qualify for a bounty at all.
For more information about Responsible Disclosure Program or to report a vulnerability contact us.