At PCAutomotive, cyber security is our number one priority. Our team thrives on making modern technologies secure for their users. We do whatever it takes to safeguard our customers, partners, as well as third-party vendors and their clients.
Due to the nature of security research, sometimes we discover vulnerabilities in third-party products and solutions. For the newly identified vulnerabilities, timing is critical. Chances are that adversaries are already using these vulnerabilities for their malicious purposes. Therefore, to protect the users, we do our best to communicate with the vendor and address identified security issues as quickly as possible, following the industry-recognized Responsible Vulnerability Disclosure process, together with ISO IEC 29147-2018 "Information technology — Security techniques — Vulnerability disclosure".
For fast and effective communication with the vendor, we prepare a security advisory containing technical details about identified vulnerabilities, instructions for the vendor on how to trigger them (if applicable), as well as mitigation recommendations.
After preparing the security advisory, we perform the following steps:
• PCAutomotive notifies the vendor of a vulnerable solution via contacts of the vendor’s security team, taking into consideration all instructions and requirements provided on the vendor’s website. We always exercise a great deal of caution regarding the sensitivity of such a communication. Therefore, we apply encryption to all files sent to the vendor in digital format.
• If no official security contact can be identified, we try to communicate by email, phone, or physical mail to the most appropriate resources of the vendor.
• If no vendor response is received within 2 weeks after the initial contact, PCAutomotive will work with a coordinator, such as CERT/CC (http://www.cert.org) to disclose the vulnerability to the public in order to protect users.
• Once we reach the vendor, communicate our findings, and receive the delivery confirmation, PCAutomotive expects the vendor to release appropriate fixes within an industry-standard 90-day timeslot. If the default 90 days are not enough for the vendor to fix any of the vulnerabilities, an extension of this time limit is possible for that specific vulnerability, provided that communication and efforts are ongoing. However, it's important to understand that the more time spent on this step, the higher the risk for end-users to become compromised by potential adversaries.
• At any time within this 90-days period, we will do our best to answer questions regarding our security findings for the vendor.
• If vendor stops communications with PCAutomotive during the 90-day period, we reserve the right to publicly disclose our findings in a limited format that does not contain information for other parties to exploit the vulnerabilities.
• Once the fixes are released, PCAutomotive will wait 30 calendar days to allow all users to apply these fixes to their systems, before publishing the vulnerability details.
• While the vendor addresses our findings, we will keep our discoveries highly confidential.
Note on CVEs: they are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it's important that the first public mention of a vulnerability should include a CVE. We will take care of contacting the corresponding coordinator and reserving CVE IDs to all identified vulnerabilities in advance before publishing them, unless other terms are mutually agreed upon between PCAutomotive and the vendor regarding CVE assigning process.
PCAutomotive plays an active role as security researchers, so we would appreciate the vendor mentioning PCAutomotive in any publications made regarding the relating vulnerabilities. PCAutomotive would be highly grateful if the vendor also includes our team members into their security Hall-of-Fame.
Always feel free to contact us at email@example.com for any matters related to our vulnerability disclosure process.