Kryptowire Vulnerability
Disclosure Process

Version 3.0

January 2022

Kryptowire Security Researchers often uncover vulnerabilities in devices using the iOS and/or Android operating systems. These vulnerabilities may be in chip sets, system software, firmware, or applications installed on the device. This document outlines how Kryptowire will disclose these discovered vulnerabilities to all affected vendors.

A Vulnerability Disclosure Program (VDP) is the digital equivalent of “if you see something, say something.” Many manufacturers and developers have a process for third parties to report a vulnerability found in their products. If your organization does not have a VDP (and it is highly recommended to have one), a template can be found here.

This document is different from a standard VDP in that it outlines how Kryptowire will disclose vulnerabilities found by Kryptowire, not how to report vulnerabilities to Kryptowire.

Kryptowire also discloses vulnerabilities to CISA using the DHS CISA Coordinated Vulnerability Disclosure process.

It is often the case that a vulnerability is found in a subsystem made by a third party such as a chip manufacturer or system software developed by a third party. In these cases, the vulnerability may be present in many devices made by several unrelated manufacturers. In this case, Kryptowire will follow the process described below for each affected vendor.

Disclosure Process

Once a vulnerability is found and verified by the research team, Kryptowire will follow these steps:

Contact

Kryptowire will search the websites of all affected parties for a VDP and attempt to establish communication with the vendor three times.

  • The initial attempt (Start Time).
  • A second attempt no less than one week after the initial attempt.
  • A third attempt no less than two weeks after the initial attempt.

If an adequate response is not received from the vendor within 45 days of the initial attempt, Kryptowire will disclose to CISA. Kryptowire may then disclose publicly 45 days after disclosing to CISA.

If the party with the vulnerability does reply, then Kryptowire will work with the organization by providing additional information on the vulnerability.

Remediation

Kryptowire is committed to a safer online environment and will work with any vendor who is committed to fixing the issue. This includes, but is not limited to, sharing of information and further discussion of the issue. In return, Kryptowire expects prompt communication back from the vendor including timeline information regarding remediation.

Disclosure

Kryptowire will publish a Security Advisory with all appropriate technical details concerning the vulnerability. Kryptowire prefers to work closely with the vendor, but Kryptowire may issue the advisory whether the vendor has released a fix or not. This is the schedule Kryptowire follows for issuing the Security Advisory:

  • The Security Advisory will be released publicly 90 days after the vendor was contacted (Start Date).

Or

  • The Security Advisory will be released publicly 45 days after the vulnerability was disclosed to CISA.

Additional Disclosure Details

  • If the vendor does release a patch, Security Advisory, or any other information regarding the vulnerability either publicly or to any of its partners or customers prior to the 45/90-day timeframe, Kryptowire may release a Security Advisory prior to its planned disclosure date.
  • If Kryptowire finds the patch to be inadequate in any form, Kryptowire will attempt to notify the vendor and work with them on remediation, but Kryptowire may issue notice of inadequacy after 7 days of the patch being released if they deem this information needs to be shared.
  • If Kryptowire becomes aware that the vulnerability is being actively exploited, Kryptowire may issues a Security Advisory earlier than the planned 45/90-day schedule.

Kryptowire Vulnerability Disclosure Process

Version 3.0

January 2022

Kryptowire Security Researchers often uncover vulnerabilities in devices using the iOS and/or Android operating systems. These vulnerabilities may be in chip sets, system software, firmware, or applications installed on the device. This document outlines how Kryptowire will disclose these discovered vulnerabilities to all affected vendors.

A Vulnerability Disclosure Program (VDP) is the digital equivalent of “if you see something, say something.” Many manufacturers and developers have a process for third parties to report a vulnerability found in their products. If your organization does not have a VDP (and it is highly recommended to have one), a template can be found here.

This document is different from a standard VDP in that it outlines how Kryptowire will disclose vulnerabilities found by Kryptowire, not how to report vulnerabilities to Kryptowire.

Kryptowire also discloses vulnerabilities to CISA using the DHS CISA Coordinated Vulnerability Disclosure process.

It is often the case that a vulnerability is found in a subsystem made by a third party such as a chip manufacturer or system software developed by a third party. In these cases, the vulnerability may be present in many devices made by several unrelated manufacturers. In this case, Kryptowire will follow the process described below for each affected vendor.

Disclosure Process

Once a vulnerability is found and verified by the research team, Kryptowire will follow these steps:

Contact

Kryptowire will search the websites of all affected parties for a VDP and attempt to establish communication with the vendor three times.

  • The initial attempt (Start Time).
  • A second attempt no less than one week after the initial attempt.
  • A third attempt no less than two weeks after the initial attempt.

If an adequate response is not received from the vendor within 45 days of the initial attempt, Kryptowire will disclose to CISA. Kryptowire may then disclose publicly 45 days after disclosing to CISA.

If the party with the vulnerability does reply, then Kryptowire will work with the organization by providing additional information on the vulnerability.

Remediation

Kryptowire is committed to a safer online environment and will work with any vendor who is committed to fixing the issue. This includes, but is not limited to, sharing of information and further discussion of the issue. In return, Kryptowire expects prompt communication back from the vendor including timeline information regarding remediation.

Disclosure

Kryptowire will publish a Security Advisory with all appropriate technical details concerning the vulnerability. Kryptowire prefers to work closely with the vendor, but Kryptowire may issue the advisory whether the vendor has released a fix or not. This is the schedule Kryptowire follows for issuing the Security Advisory:

  • The Security Advisory will be released publicly 90 days after the vendor was contacted (Start Date).

Or

  • The Security Advisory will be released publicly 45 days after the vulnerability was disclosed to CISA.

Additional Disclosure Details

  • If the vendor does release a patch, Security Advisory, or any other information regarding the vulnerability either publicly or to any of its partners or customers prior to the 45/90-day timeframe, Kryptowire may release a Security Advisory prior to its planned disclosure date.
  • If Kryptowire finds the patch to be inadequate in any form, Kryptowire will attempt to notify the vendor and work with them on remediation, but Kryptowire may issue notice of inadequacy after 7 days of the patch being released if they deem this information needs to be shared.
  • If Kryptowire becomes aware that the vulnerability is being actively exploited, Kryptowire may issues a Security Advisory earlier than the planned 45/90-day schedule.