Wherever possible, NCSC encourages any individual or organisation that has identified a potential vulnerability ('Finder') in a product or online service to make direct disclosure to the individual or organisation that developed the product or service or is responsible for maintaining it ('Vendor'). The Vendor may have its own vulnerability disclosure policy or provide guidance on how it will receive disclosures.
Where the Finder does not want to contact the Vendor directly or has not had any success in contacting the Vendor directly, NCSC is available to receive a vulnerability disclosure. NCSC will act as a conduit of information only — we will endeavour to pass information on to the relevant Vendor. The Vendor may then contact the Finder directly and it is then for the parties to manage the relationship. Where the Finder wants to retain anonymity, NCSC will, where appropriate, continue to act as a conduit and pass information between the parties.
NCSC will coordinate vulnerability disclosure in order to balance the needs of the public to be informed of potential security vulnerabilities with the need for organisations to have time to effectively address any vulnerability.
Responsible Disclosure
By using this service, the Finder, NCSC and the Vendor agree to:
- adopt the procedures outlined in this policy
- operate in accordance with relevant local laws
- take reasonable care to minimise the risk of harm from security research, vulnerability discovery and disclosure
- in the case of the Finder, provide sufficient information on the reported vulnerability as required
- in the case of the Vendor, conduct its own security checks on any disclosure and information received
- maintain discretion, and
- communicate in a timely manner.
Subject to the terms of this policy NCSC will:
- make reasonable efforts to contact the Vendor as soon as practical after receiving a disclosure, and will provide the Finder’s name and contact details to the Vendor (unless anonymity is requested)
- where requested, maintain the Finder’s anonymity to the extent reasonably possible
- make reasonable efforts to contact the Finder and the Vendor prior to any release of the disclosure
- seek agreement, where possible, between relevant parties before disclosing information regarding a vulnerability to the public, and
- provide fair treatment to all relevant parties as much as possible.
NCSC does not:
- verify, analyse or investigate information provided by the Finder before conveying it to the Vendor
- provide any reward or incentive such as a 'bug bounty'
- recommend or pursue legal action on behalf of another party
- condone or encourage breaches of the law
- offer a whistle-blower service, or
- provide any 'safe harbour' protection from civil or criminal liability.
Timeframe
Vulnerabilities may be made public by NCSC 45 days after it notified the Vendor about the vulnerability, regardless of the existence or availability of patches or other mitigating factors. This timeframe may change where the vulnerability is:
- being actively exploited
- publicly disclosed by an entity other than NCSC
- reported by multiple sources to NCSC or the Vendor
- considered to be exceptionally serious (for example, threatening public safety), or
- where the parties agree or where NCSC considers it necessary.
Reporting to NCSC
NCSC is available to receive information in accordance with this policy about any vulnerability which, if exploited, could give rise to a compromise or degradation of the confidentiality, integrity and availability of a network, system or data.
To report a vulnerability, send a PGP encrypted email to disclosures@ncsc.govt.nz — our PGP fingerprint is 9713 8773 3D95 7FAD C0EA 1797 8EB8 FFBD D973 476E —including the following information.
- Details of the vulnerability including:
- what products/services and versions are affected?
- what platform(s) does the product use?
- what is the likely impact of exploitation?
- any other relevant information you can supply
- any proof of concept.
- NCSC also request information regarding:
- your contact details so NCSC can communicate with you
- whether you have been in contact with the Vendor
- whether this information has been published or shared with others, and
- whether you would prefer to remain anonymous.
NCSC will endeavour to respond to the Finder with further details of the process within two business days.
NCSC reserves the right to accept, reject, or prioritise any vulnerability disclosure at its discretion. The decision whether to accept or reject the vulnerability disclosure coordination role for a particular disclosure will generally be based on the scope and severity of the vulnerability and our ability to resource the process.
Disclaimer
NCSC acts only as a conduit in respect of any vulnerability disclosure or associated communication ('Disclosed Information'). NCSC accepts no liability to the Finder, the Vendor or any other party for any direct or indirect loss or damage of any kind whatsoever, however caused including by any act or omission on the part of NCSC, and whether under contract, tort (including negligence), statute or any other basis for liability. NCSC are not responsible for the use of or reliance on the Disclosed Information by any party. NCSC does not make any express or implied representation or warranty regarding the Disclosed Information or its accuracy. The provision of Disclosed Information to a party by NCSC, does not constitute any endorsement, verification or recommendation by NCSC.
Information provided to NCSC may be disclosed to third parties as required by law or where NCSC considers disclosure to be in the public interest.
References to NCSC in this Policy should be read as a reference to GCSB.
Contact us
Any inquiries regarding this policy should be directed to disclosures@ncsc.govt.nz.