Dragos Vulnerabilities Policy
Version 1.1. Last updated 7/13/2022
The Dragos mission is to Safeguard Civilization. Our disclosure policy furthers this mission through coordinated disclosure with vendors and ensuring vulnerability information is made public in a timely manner. Dragos strives to build a strong ICS security community amongst owner-operators, vendors, integrators, and cyber security providers. Such a wide-reaching community will inevitably have competing interests, and not everyone will be happy with how we handle zero-day vulnerabilities. However, Dragos will always make a good faith effort to both be a good partner and do what is good for the ICS security community.
After discovering vulnerabilities, Dragos will attempt to contact the affected vendor. Contact will be made through e-mail or through any secondary mechanism the vendor’s product security website might suggest. Dragos gives vendors four weeks (28 days) to acknowledge our disclosure and confirm the vulnerabilities. A vendor that does not respond or is not cooperating in the disclosure process will be assumed to be uncooperative, and Dragos will move on to our publication stage.
The initial disclosure to the vendor will describe the vulnerabilities and how to reproduce them, provide a link to this policy, and clearly state the disclosure deadline and our intention to publish the vulnerability information and associated mitigations (patches, compensating controls, etc). The publication deadline is 90 days after the initial disclosure is sent. Dragos believes 90 days is a reasonable amount of time to produce patches or mitigation guidance for affected customers. If a vendor is unable to publish an advisory by the deadline date, Dragos believes it’s in the community’s best interest to be made aware of the security issues, and we’ll proceed to our publication stage. Extensions to the 90-day disclosure policy will only be considered in rare cases with cooperative vendors facing extenuating circumstances where delayed publication is in the best interest of the ICS community.
However, our preferred method is coordinated disclosure, in which the vendor and Dragos publish advisories on an agreed upon date. Dragos believes this is the most beneficial outcome for customers as they receive both an official vendor advisory and an advisory containing Dragos’s unique security expertise at the same time. We also believe coordinated disclosure fosters strong relationships between vendors and the cyber security providers. To further strengthen this bond, Dragos commits to providing vendors with a draft of our advisory before publication. We encourage vendors to do the same.
Dragos will disclose vulnerabilities only to the original manufacturer. Coordination with relabeled or “white label” products and resellers is the responsibility of the original manufacturer. Dragos cannot reasonably navigate these pre-existing relationships.
Dragos vulnerability publications focus primarily on context, impact, and mitigation. Our Vulnerability Assessment* (VA) publication is shared only with select WorldView customers, and it contains only enough information to help our customers determine if they need to take action. Any public publication undertaken by Dragos (such as an advisory or blog) will contain limited vulnerability details. Dragos never shares sufficient information to weaponize a vulnerability and never shares exploit code externally.
To ensure the ICS community receives notification of Dragos-discovered vulnerabilities, we’ll make every effort to ensure CVE ID are both assigned and published. If the vendor is not a CVE Numbering Authority (CNA), then Dragos will reserve CVE ID after the vendor confirms the issues. Dragos will share CVE assignment with the vendor as early as possible. Once advisories have been made publicly available, Dragos will inform MITRE and, when appropriate, national computer emergency response teams.
*WorldView is a Dragos Intelligence product offering. Vulnerability Assessment products are owner/operator-only reports with in-depth analysis and mitigations of the vulnerabilities Dragos’s team identified.