Coordinated 脆弱性 Disclosure (CVD) Policy

报告漏洞

Rapid7’s 脆弱性 Research 和 Disclosure Principles

  • 我们相信,通过使攻击者工具和知识的访问民主化,可以加强防御. One of Rapid7’s unique strengths is our deep knowledge of how attackers work. 我们的漏洞研究和Metasploit团队努力使攻击者的能力,否则将主要被犯罪分子使用,使防御者能够理解和优先考虑关键漏洞, 开发检测和缓解措施, 测试安全控制. 发布公开的漏洞利用代码和新的研究成果是我们缩小安全成就差距的核心任务.
  • 公开披露漏洞是健康的网络安全生态系统的关键组成部分. Rapid7实践并提倡及时公开披露第三方产品和我们自己的系统和解决方案中的漏洞. This includes vulnerabilities we independently discover in our customers’ tech stacks. 通过透明的, 开放, 及时披露漏洞, Rapid7帮助整个互联网保护和捍卫那些对现代文明至关重要的资产和服务.
  • 在今天的威胁形势下, 组织需要有关风险的及时信息,以便在保护网络方面做出明智的选择——尤其是在主动攻击期间. 我们的协调漏洞披露政策包括明确规定,在观察到漏洞利用的情况下加快公开披露. 当供应商的产品中存在将风险引入下游客户环境的安全问题时,供应商通常(可以理解)采取行动来保护自己的业务和声誉. When we know about exploitation in the wild, or when we believe that threat actors may be covertly weaponizing non-public vulnerabilities, 我们的首要任务是让客户和社区意识到这种风险,这样他们就可以采取行动保护他们的组织.

Coordinated 脆弱性 Disclosure (CVD) Policy

与围绕协调漏洞披露(CVD)的标准行业实践保持一致(例如 CERT / CC的, 谷歌的, ZDI的), as well as the st和ards promulgated in ISO 29147ISO 30111, Rapid7通常会在我们首次尝试私人披露后大约60天内准备和发布详细介绍新发现漏洞的建议, 除非有情有可依的情况(包括下面列出的可能需要不同披露指南的情况). These advisories will be made publicly available via Rapid7’s 博客 还有社交媒体. Depending on the details of the findings, there may also be media engagement.

虽然协调的漏洞披露可能因bug而异,这取决于广泛的环境, Rapid7的主要关注点是修复漏洞,并使受影响的各方意识到与漏洞相关的风险. In keeping with the principles outlined above, Rapid7 has identified several common types of vulnerabilities, each of which warrants slightly different disclosure guidelines.

Please note, technical vulnerabilities often involve 未定义的行为 以及意想不到的相互作用. 因此, 由于该特定漏洞的独特或不可预测的因素,Rapid7可自行决定修改披露时间表.

All Vulnerabilities (The Default Policy)

  • Rapid7将秘密地向最有能力解决该漏洞的组织披露发现的漏洞. That organization is the "responsible organization."
    • If the responsible organization is not a CVE伙伴, Rapid7将保留一个CVE ID.
  • 15天后, Rapid7将通知CERT/CC该漏洞,并提供足够的技术细节来证明该问题. If the responsible organization has not acknowledged our initial disclosure by this time, Rapid7 will presume they are a "non-responsive responsible organization."
  • After 60 days of confidential disclosure to the responsible organization, Rapid7 will publicly disclose vulnerability information, 包括CVE描述, 对风险的看法, 影响, 以及缓解策略, 和 enough technical detail to demonstrate the issue (collectively, “漏洞细节”). Rapid7 may involve media outlets in that disclosure.
    • 在这60天内, Rapid7希望责任组织制定解决方案,并为受影响的各方提供任何更新, 和 Rapid7 will keep CERT/CC apprised of the status of those updates.
    • 如果负责任的组织在开发和发布更新方面表现出一致的诚意, but cannot complete this work within 60 days, 根据默认政策(或以下列举的任何例外情况),Rapid7可自行决定给予30天的延期。.
  • 如果Rapid7在向责任组织报告问题后意识到更新已普遍可用, 包括 沉默的补丁 这些漏洞往往会劫持CVD规范,Rapid7的目标是在24小时内发布漏洞细节.
  • 秘密地重新发现并作为重复报告给责任组织的问题与本政策的时间表期望无关.

野外开发
这就是我们在生产环境(包括我们自己的环境)中看到的主动开发的情况. 在这些情况下,目标是尽可能快地发布有关风险的关键信息,以便组织可以采取明智的行动来保护自己.

This policy is identical to the default policy but for these changes:

  • Rapid7的目标是在发现漏洞后大约72小时通知CERT/CC并发布公共漏洞信息, regardless of the existence of an update.
  • If the vulnerability was found within an organization’s environment, Rapid7 will strive to notify directly affected organizations of the disclosure first.

补丁绕过
This is the case where a vendor believes they fixed an issue, but didn't.

This policy is identical to the 野外开发 policy but for these changes:

  • A new CVE ID will be reserved that references the original CVE ID.
  • Rapid7 will inform the responsible organization 和 CERT/CC concurrently.
  • 取决于旁路的性质, Rapid7 may release vulnerability details immediately, or up to 45 days after reporting to CERT/CC.

云/主办的漏洞
在这种情况下,最终用户或实现者在他们的终端上没有什么需要修复的——修复问题只需要一个负责任的组织来行动.

This policy is identical to the default policy but for these changes:

  • Rapid7不会保留CVE ID.
  • If the issue is resolved inside the 60 day coordination window, Rapid7 will assess the value of a public disclosure. If the issue remains unresolved after the coordination window closes, a public disclosure may be issued per the default policy.

动能的漏洞
这些脆弱性对人类健康和安全具有明显和直接的影响, 和 are not otherwise present in generally-used technology. Specialized OT 和 medical technology fall into this category.

对默认值的更改:

  • Rapid7将在更新的一般可用性发布30天后披露漏洞细节, 而不是马上.
    • If the vulnerability becomes actively exploited in the wild, the Exploited in the Wild policy shall 应用 instead.
  • Rapid7将与相关政府机构协调,有能力与负责任的组织合作开发, distribute 和 implement updates (包括 CERT/CC).
  • 与CERT/CC和负责组织的协调可以延长至180天. If there is no update available after 180 days, Rapid7 will publish vulnerability details.

低强度的漏洞
这些漏洞微不足道,利用这些漏洞会对受影响的生产环境造成安全上可以忽略不计的后果, or limited to a single production instance, 比如一个没有连接到的网站 关键基础设施, or extant in only theoretical or very unlikely configurations of affected systems.

对默认值的更改:

  • Rapid7不会与CERT/CC协调.
  • Rapid7 may not publish vulnerability details at any point, but may do so if circumstances change (for example, 如果证明这个低影响的漏洞可以与另一个漏洞链接以获得高影响的结果).

Vulnerabilities with No Responsible Organization
These are vulnerabilities in obsolete systems, 废弃的软件包, or maintained by non-responsive responsible organizations.

对默认值的更改:

  • Rapid7将在提供CERT/CC漏洞详细信息后45天发布漏洞详细信息, or on a timeline that is agreed upon with CERT/CC.

多方面的漏洞
These vulnerabilities match more than one non-default category, such as a vulnerability for unsupported software that is exploited in the wild.

  • If there is a conflict in timelines, the shorter timeline shall 应用.

反馈

If you have any questions about this policy, or coordinated vulnerability disclosure in general, please feel free to reach out to cve@dyhujing.com.

你也可以阅读我们的 博客 有关此政策的更多讨论.