“Reporting a vulnerability to CERT-In does not imply being exempt form compliance. Discloser shall be responsible for any action performed by her/him discovering the vulnerability whatsoever,” the Indian Computer Emergency Response Team (CERT-In) said in its new Responsible Vulnerability Disclosure and Coordination Policy. This essentially means that cyber researchers and ethical hackers who report vulnerabilities of websites or systems may be liable to prosecution and must comply with the relevant laws such as the IT Act 2000 and 2008 (amendment). Until now, there was a shortcoming in the availability of information in regards to current vulnerability disclosure programmes and processes of Indian government entities. As a Centre for Internet and Society research study stated, there are “several sections and provisions within the IT Act 2000 which have the potential to disincentivise legitimate security research, even if the same has been carried out in good faith”. Thus, it was imperative for the Indian government to come out with a vulnerability disclosure policy that encourages such research, rather than the current policy, which many feel, is detrimental to the effort. For instance, many netizens termed this move as “shooting the messenger”. https://twitter.com/BharatVarma3/status/1433657123943030790 https://twitter.com/digitaldutta/status/1433649956506591242 Other details of the vulnerability policy Details expected for CERT-IN to look into claims of vulnerability The product(s) affected The exact software version or model affected Vendor details Description of the vulnerability along with concise steps to reproduce the reported vulnerability along with supporting evidence such as: Proof of concept (PoC) Code sample Crash reports Screenshots and Video recording…
