ESET coordinated vulnerability disclosure policy

As security software developers, here at ESET we understand the importance of protecting the privacy and security of all technology users, not just our customers. We value the trust our customers place in our products and services and are dedicated to maintaining their security and privacy while addressing any issues reported to us. Equally, while respecting the legitimate business interests of other hardware, software, and service vendors, should our ongoing research uncover vulnerabilities in their offerings, ESET’s goal is to ensure the best protection of our collective digital world. We believe that this is best achieved through a coordinated vulnerability disclosure process.

Reporting security issues to ESET

We appreciate the time and effort of independent security researchers and strive to work cooperatively with them to improve our products and services. To report a security issue in an ESET product or service, please visit our Report Security Vulnerabilities page. Our security team will endeavor to respond within three working days. We believe coordinated disclosure provides the best protection for the broadest range of technology consumers. To that end, we suggest you take a similar approach to that of our researchers when reporting vulnerabilities that we discover in others’ products and services. Our policy for such disclosures is described below.

Coordinated vulnerability disclosure policy

Coordinated vulnerability disclosure processes encourage researchers and vendors to coordinate their efforts, with the focus being on providing the best level of protection for the broadest range of technology users, while doing so in a timely manner. If we discover a vulnerability in a third-party product or service, we will make extensive attempts to locate and inform the affected vendors, work cooperatively with them toward a suitable resolution of the vulnerability, and withhold public disclosure of the vulnerability until the vendor releases an update, or until 90 days have passed since making initial contact with the vendor, whichever comes first. Should we fail to establish satisfactory contact with a vendor, we will wait 90 days from our first attempt to contact the vendor before publicly disclosing a vulnerability.

We pledge never to try to make financial gain from any vulnerability we discover, and to adhere to the principles of coordinated disclosure as expressed in this policy.

All communication related to vulnerabilities discovered by ESET researchers should be directed to:

Discovery and reporting

ESET researchers may discover vulnerabilities in third-party products or services for several reasons. Aside from research teams with a specific focus on vulnerability research, analyzing suspicious and malicious software also often results in the discovery of vulnerabilities, misconfigured services that can be abused to access what should be private data, and so on.

When ESET researchers discover a possible vulnerability or misconfigured service, they will follow this process:

  • Extensive efforts will be made to locate the appropriate contacts for the affected product or service, including: industry-standard email role addresses such as secure@<domain>, security@<domain>; whatever is listed in the domain’s security.txt metadata; technical support or similar contacts easily identified from the product or service, its documentation, or the vendor’s website; social media accounts; or any other contact methods we may have successfully used previously for relevant vendors.
  • The identified contacts will be sent a vulnerability disclosure report that describes the affected products or services, the vulnerability, steps to exploit it, information about whether it is currently being exploited, an assessment of the vulnerability’s impact, and possibly also suggestions of how to mitigate or correct the vulnerability. This report will also include a link to this policy, an offer of any further assistance we might be able to provide and a statement of our intention to publish a vulnerability disclosure report.
  • The vendor should respond, even if it is only to challenge the vulnerability claim or to ask for more details.
  • If no response is received within 7 calendar days, the same message will be resent to the identified contacts, and further possible contacts will also be sought and sent the vulnerability disclosure report. These contacts might be solicited from other security researchers with whom we regularly cooperate, and/or from regional, industry or national CERTs and similar organizations. Apart from noting that we have a security vulnerability to disclose to the intended contacts, we will keep all significant details about the vulnerability confidential while seeking these further contacts.
  • Again, as this should be a cooperative process, the vendor should respond.
  • If there is no response within another 14 calendar days, we might try to contact the affected vendors via telephone.
  • If none of these contact attempts results in a satisfactory response, we will publish a vulnerability disclosure 90 calendar days after the initial attempt to contact the affected vendors. Responding to our vulnerability disclosure report with legal threats will be considered an unsatisfactory response. We genuinely want to help you and your customers achieve a better security or privacy result and we have no financial interest in that outcome one way or the other.
  • If the vendor makes a satisfactory response to any of these contact attempts, we will then work cooperatively with them as described in the next section.

Mitigation and timeline

Once a vendor responds to our vulnerability disclosure contact and indicates a willingness to address the vulnerability, ESET researchers will work cooperatively with the vendor for up to 90 calendar days from the date the vendor replies to us. After 90 days, or sooner if the vulnerability is patched, etc., we will publish a vulnerability disclosure.

  • Of course, we encourage vendors to address security vulnerabilities in as short a period as possible, but also recognize that too much focus on reducing time-to-patch can produce a less-than-optimal result. Our emphasis is on achieving the best improvement in overall security or privacy, so speed of mitigation is always a balancing act.
  • In general, we commit to not publishing a vulnerability disclosure: for 90 calendar days from receiving the vendor’s initial response, or; for 90 days from making the first contact attempt in cases where there is no vendor response, or the vendor does not respond satisfactorily and remains unwilling to work cooperatively, or; at an earlier time in coordination with the vendor’s release of an update or patch that addresses the vulnerability.
  • However, we reserve the right to publish a vulnerability disclosure at any time, depending on various factors including but not limited to: the vendor releasing an update without cooperating with this process; other researchers independently publishing details of the vulnerability; the discovery of the vulnerability being exploited in real-world attacks, or; a significant change for the worse in our assessment of the impact of the vulnerability.
  • For example, should we deem that public interest requires immediate publication (such as active exploitation of a high impact vulnerability in the wild), we reserve the right to publish the research within 7 calendar days of our first notification attempt, or possibly even sooner in extremely urgent cases such as a computer worm exploiting a zero-day networking vulnerability to spread across the internet. In such cases, this intention will be clearly described in the vulnerability disclosure report sent to vendors.
  • In exceptional cases, we may, at our sole discretion, grant a grace period longer than 90 days. Vendors that require more time to develop, test and release suitable mitigations should raise the possibility of needing more time as early in the coordinated disclosure process as possible.
  • Finally, we reserve the option of disclosing the discovery to a trusted third party, such as a CSIRT, national CERT or suitable industry coalition (e.g. FS-ISAC, ICASI) for the purpose of having it assist with disclosure coordination, or even handle the disclosure coordination outright. In the latter case the disclosure policies of that organization, and not this policy, will apply.