“Reporting a vulnerability to CERT-In does not mean that you are exempt from complying with the regulations. The Discloser is responsible for all actions he / she takes to discover the vulnerability, ”said the Indian Computer Emergency Response Team (CERT-In) in its new Responsible Disclosure and Coordination of Vulnerabilities Policy.

This essentially means that cyber researchers and ethical hackers who report weaknesses in websites or systems are liable to prosecution and must comply with the relevant laws such as the IT Act 2000 and 2008 (amendment).

Until now, the availability of information on current programs and processes for disclosing security vulnerabilities by Indian government agencies has been poor. As a Center for Internet and Society Research study found that there are “several sections and provisions in the IT Act 2000 that have the potential to interfere with legitimate security research, even if conducted in good faith.”

Therefore, it was imperative for the Government of India to develop a vulnerability disclosure policy that encourages such research, rather than the current policy, which many feel is detrimental to the effort. For example, many internet users referred to this move as “shooting the messenger”.

More details of the vulnerability policy

Details awaited for CERT-IN to investigate vulnerability claims

Advertising. Scroll to read on.

  • The affected product (s)
  • The exact software version or model affected
  • Provider details
  • Description of the vulnerability along with concise steps to reproduce the reported vulnerability along with supporting evidence such as:
    • Proof of Concept (PoC)
    • Code sample
    • Crash reports
    • Screenshots and video recordings etc.
  • The effects of exploiting the vulnerability
  • Other products or software versions likely to be affected
  • How the vulnerability was discovered
  • The tools used to uncover the vulnerability
  • Information about a known exploit
  • Time restrictions on the publication of the topic (e.g. article, blog or conference, etc.)
  • Whether the vulnerability has already been reported to the provider / the other authority or whether this is planned
  • Whether the person required to report wants to remain anonymous during the voting process
  • Whether the reporting party wishes to be mentioned in the vulnerability note / note

Coordination to dissolve

CERT-In said in the guideline that it will review and validate the vulnerability report. “After successful validation, CERT-In will initiate coordination with the relevant product provider (s), parties subject to disclosure and other parties (if necessary) to remedy and resolve the problem,” says the guideline.

CERT-In will make every possible effort to keep disclosure to a minimum. However, there may be situations where assistance from trusted third parties may be required. In this case, CERT-In shares some or all of the information about security risks with the trusted third parties – Policy for responsible disclosure and coordination of security risks

Schedule for solving the problem

CERT-In said it will attempt to resolve the issue within 120 days from the vendor’s first contact date. However, it added that the timeframe could change if the vulnerability:

  • To be actively exploited
  • Reported to CERT-In or the affected provider / developer from multiple sources
  • Is considered to be exceptionally serious (e.g., a threat to public safety)
  • According to agreement between the disclosing CERT-In and the affected provider / developer.

It may be pointed out that situations may arise where the problem is not resolved within 120 days, z disclose or make the vulnerability public and stop coordinating efforts with the provider – Responsible Disclosure and Coordination of Vulnerabilities Policy

Difficulty reporting vulnerabilities: CIS

The interviewed Center for Internet and Society hacker for his report “Improving the Processes for Disclosure Security Vulnerabilities to Government Entities in India” in 2019 the following issues they face when reporting security vulnerabilities:

Advertising. Scroll to read on.

procedure: Hackers said it was difficult to identify who to report a particular vulnerability to because government websites in India often do not have contact information for reporting security vulnerabilities.

Communication: The report mentioned that it was unclear what would happen to a vulnerability report after it was submitted. “This creates a situation where security researchers invest a lot of time and effort first reporting a vulnerability and then repeatedly trying to track whether it has been fixed,” she added.

Accessibility: The process of submitting vulnerability details can sometimes be challenging in itself.

Advertising. Scroll to read on.

Also read:

Update, September 9, 12.44 p.m.: Reactions in the form of tweets from V Anand. added

Do you have anything to add? Post your comment and give someone a MediaNama as a gift subscription.