Disclosure Policy

Security4Media (herefater S4M) is a non-profit association that aims at building a secure and trustworthy media landscape through collaboration among media organizations (Customers), cybersecurity experts (Reporters), and technology companies providing media systems (Vendors).

Vulnerability reporting

Any cybersecurity Reporter can report on new vulnerabilities he /she found on Media systems to the following e-mail address: info@security4media.org.

The report should include the Vendor’s name, the product name (i.e.: device model and firmware version), the vulnerability class (according to the OWASP 10) and a first CVSS grade and vector string. Reporter should include as much information as possible to enable the vulnerability reproduction, such as detailed summaries, proof-of-concept exploits code, screenshots, description of tests conducted etc…

S4M Cybersecurity team may contact Reporter to get all the information required to assess and replicate the vulnerability within 8 working days.

CVE Assignment

If a submission does not have a CVE assigned already and is not in scope of another CNA, it aligns with the general CNA Rules: Security4Media assigns a new CVE ID as soon as the submission is validated and notify the Reporter and the Vendor.

If the affected Product is in scope of another CNA, S4M contacts them to transfer of the CVE to them.

Security4Media informs the Swiss National Cyber Security Centre (NCSC) once a CVE Id is assigned.

In accordance with the Federal law on information security, the NCSC may publish information relating to vulnerabilities, indicating the software or hardware impacted, this could also be used as a CVE reference under certain conditions (Art. 73c, al 1., al 2.).

Security4Media will write to Vendor contact for vulnerability disclosing. If Vendor is not part of Security4Media and there is no publicly available address for vulnerability disclosure, Security4Media will use a generic contact form or email address available on Vendors website.

Within 8 days, the vendors should reply with the following information:

1. Acknowledgement that the vulnerability report has been received.
2. Proposal of temporary mitigation strategies that prevent the exploitation of the vulnerability.
3. An estimate when a permanent patch that completely resolves the vulnerability will be available.

Mitigation

After notification, the Vendor should immediately start developing a patch that permanently resolves the vulnerability. In case of high vulnerabilities (CVSS score >=7.0?), the Vendor should warn its customers and recommend them a mitigation plan. Vendor should keep S4M regularly updated on the status of current patch developments. Vendor is expected to develop an effective patch within 3 months after vulnerability submission.i.e. after receiving the initial report of the vulnerability. Vendor may ask for support from Reporter, S4M or S4M’s members to retest patched Product.

In case of critical vulnerability S4M reserves the right to inform all of its members belonging to the private and public media constituencies that could be affected.

Vulnerability Publication

Once patch is available, Vendor notify S4M and provide links to the patch. Security4Media publish the CVE with detailed information on how to patch the Product.

If Vendor does not answer after 8 days after the first contact or does not provide a patch within 3 months after CVE assignment, S4M will continue the disclosure process in collaboration with the National Cyber Security Centre (NCSC).

Confidentiality

Security4Media will provide information to NCSC only, using NCSC standard reporting process. All information on reported vulnerabilities will be kept confidential by Cybersecurity team until publication is validated. If agreed with Vendor, some information could be shared with a S4M member supporting S4M, for example for replicating the vulnerability.

Reporter Anonymity

S4M guarantees the anonymity of Reporter if requested. All communication with the Reporter is shared with S4M members only if authorized by Reporter.

The researcher will be listed in the credits as « finder » if he does not request anonymity.

Disputes

If a 3rd party does not agree with the vulnerability disclosure, they may contact us and start a dispute. The dispute is handled as specified by the CVE program.

Validation

If a submission is qualified as a new vulnerability, it will be validated. A new entry will be created based on the submission.

Splits

If a submission contains multiple vulnerabilities the submission will be split into their respective entries. Every split is handled as a separate entry.

Merges

If a submission could be identified as a duplicate of an existing entry, the data from the submission will be merged into the existing entry. Reporter will be listed as contributor and as committer to the entry.