CSP-CERT®:
Coordination and Disclosure Policy



Overview

The CSP-CERT Coordination Center's vulnerability coordination program assists in handling disclosures for security issues reported with the organization(s) involved. While CSP-CERT encourages reporters to seek assistance with the organization(s) directly, there may be cases where the reporters choose to work with CSP-CERT for an advisory.

Coordination and Disclosure Policy

Requests for vulnerability coordination requires that the vulnerability found in an online service or a software application meets the following conditions:

  1. Online service or software application must be actively maintained.
  2. Online service or software application must not be in its alpha or beta testing stage.
  3. Software application's version must be an official release with the support of the vendor.

The CSP-CERT Coordination Center expects the vulnerability reporter to send the report through email: vulnerability at cspcert.ph. It is recommended to encrypt the report with the PGP Key of CSP-CERT due to the sensitive nature of the information.

Below are the contents required when sending the report for online services and software applications:

Email Subject Format

Type Email Subject
Online Service (Private) [PCVR] - Vulnerability in *.com/.com.ph/.ph/etc.
Online Service (Government) [GCVR] - Vulnerability in *.gov.ph
Online Service (Defense) [DCVR] - Vulnerability in *.mil.ph
Software Application (Local Vendor) [LSVR] - Vulnerability in <Software Product>
Software Application (International Vendor) [ISVR] - Vulnerability in <Software Product>

Email Message (Body) Format

For online services:

  • URL
  • Vulnerability Description
  • Proof of concept
  • Impact

For software applications:

  • Product
  • Product Version
  • Product URL
  • Vendor
  • Proof of Concept
  • Impact

The CSP-CERT Coordination Center will prioritize reports according to factors such as a vulnerability affecting users in the Philippines, a vulnerability having a high severity, or a vulnerability that affects critical infrastructure. ISO 29147 "Guidelines of Responsible Disclosure" is also strictly followed when coordinating vulnerabilities with vendors and organizations. Upon sending the report, please expect an acknowledgement email within 3 business days.

In some cases, there will be unsuccessful processing of reports due to instances where the vendor doesn't acknowledge the vulnerability, or the organization involved doesn't respond to CSP-CERT. When this happens, CSP-CERT may decide to close the report with or without a public advisory. If a public advisory is released, it will be posted in the advisories section https://www.cspcert.ph/advisories.html.

Since CSP-CERT Coordination Center is also a CVE Numbering Authority (CNA), CVE's will be assigned to vulnerabilities reported on software applications not covered by specific vendor CNAs found here: https://cve.mitre.org/cve/request_id.html#cna_participants. (Please note that only vulnerabilities found in software applications are eligible for CVE-ID assignments)