The Cyber Threat Alliance (CTA) is committed to raising the level of cybersecurity across our digital ecosystem. In line with that mission, CTA believes that identifying, reporting, and addressing hardware and software vulnerabilities is an essential component of any organization’s cybersecurity program. The purpose of this policy is to foster an open partnership with the security researcher community, and we recognize the work that community does to improve cybersecurity for CTA, its Members, and the broader internet.
To that end, this policy reflects CTA’s corporate values and upholds our responsibility to good-faith security researchers that are providing us with their expertise.
CTA’s vulnerability disclosure program covers the following products and services:
This scope will be amended, as necessary, should additional products or services be developed.
Response to Vulnerability Reports
CTA openly accept reports for its listed products or services, and we will investigate any reports we receive. CTA is committed to addressing any identified vulnerability in a timely manner. Our response will be based on the risk the identified vulnerability poses to the organization or to any of our members, partners, or visitors.
Given this approach to handling vulnerabilities, CTA will not engage in legal action against individuals who submit vulnerability reports through CTA’s reporting process. We also will not pursue legal action against individuals who:
- Engage in testing of systems/research without harming CTA, its Members, or its Partners.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Adhere to the laws of their location and the location of CTA. For example, violating laws that would only result in a civil claim by CTA may be acceptable if CTA is authorizing the activity (such as reverse engineering or circumventing protection measures) to improve its security.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
How to Submit a Vulnerability
To submit a vulnerability report to CTA, please send an email detailing the vulnerability to firstname.lastname@example.org.
Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submission.
What we would like to see from you to increase the likelihood of resolution:
- Well-written reports in English that include how you found the vulnerability, your assessment of the impact, and any potential remediation.
- Reports that address products or services on the in-scope list. Reports addressing other products or services will receive a lower priority.
- Plans or intentions for public disclosure.
What you can expect from us:
- A response to your email within 2 business days.
- A commitment to being as transparent as possible about the remediation process as well as any issues or challenges that may extend it.
- After triage, a response that includes an expected timeline for resolution.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of review.
- Credit after the vulnerability has been validated and fixed, if desired.
- CTA branded items, such as a coffee mug or hoodie, after the vulnerability has been validated and fixed, if desired.
What you should not expect:
- Payment for identifying the vulnerability. As a small non-profit, CTA does not pay for vulnerability identification.
If we are unable to resolve communication issues or other problems, CTA may bring in a neutral third party (such as CERT/CC, ICS-CERT, or relevant regulator) to assist in determining how best to handle the vulnerability.