wordpress blog stats
Connect with us

Hi, what are you looking for?

CERT-In has a new vulnerability disclosure policy that doesn’t spare the messenger

The policy introduced by India’s first responder to cyber attacks could put researchers and ethical hackers in harm’s way.

“Reporting a vulnerability to CERT-In does not imply being exempt form compliance. Discloser shall be responsible for any action performed by her/him discovering the vulnerability whatsoever,” the Indian Computer Emergency Response Team (CERT-In) said in its new Responsible Vulnerability Disclosure and Coordination Policy.

This essentially means that cyber researchers and ethical hackers who report vulnerabilities of websites or systems may be liable to prosecution and must comply with the relevant laws such as the IT Act 2000 and 2008 (amendment).

Until now, there was a shortcoming in the availability of information in regards to current vulnerability disclosure programmes and processes of Indian government entities. As a Centre for Internet and Society research study stated, there are “several sections and provisions within the IT Act 2000 which have the potential to disincentivise legitimate security research, even if the same has been carried out in good faith”.

Thus, it was imperative for the Indian government to come out with a vulnerability disclosure policy that encourages such research, rather than the current policy, which many feel, is detrimental to the effort. For instance, many netizens termed this move as “shooting the messenger”.

Other details of the vulnerability policy

Details expected for CERT-IN to look into claims of vulnerability

Advertisement. Scroll to continue reading.
  • The product(s) affected
  • The exact software version or model affected
  • Vendor details
  • Description of the vulnerability along with concise steps to reproduce the reported vulnerability along with supporting evidence such as:
    • Proof of concept (PoC)
    • Code sample
    • Crash reports
    • Screenshots and Video recording etc.
  • The impact of exploiting the vulnerability
  • Other products or software versions likely to be affected
  • How the vulnerability was discovered
  • The tools used for discovering the vulnerability
  • Information on any known exploit
  • Time constraints with respect to going public about the issue (e.g. article, blog or conference, etc.)
  • Whether the vulnerability has already been reported to the vendor/other agency or any plan to do so
  • Whether reporting party wants to remain anonymous during the coordination process
  • Whether reporting party wants mention in the vulnerability note/advisory

Coordination for resolution

CERT-In, in the policy, said it will examine and validate the vulnerability report. “Upon successful validation, CERT-In will initiate coordination with the relevant product vendor(s), discloser and other stakeholders (if required) for the remediation and closure of the issue,” the policy said.

CERT-In shall make all possible efforts to limit the disclosure to a bare minimum. However situations may arise where assistance from trusted third parties may be required in which case CERT-In will be sharing a subset or all the vulnerability information, as the case may be, with the trusted third parties — Responsible Vulnerability Disclosure and Coordination Policy

Timeline for resolving the issue

CERT-In said that it will try to get the issue resolved within 120 days from the initial vendor contact date. However, it added, that the timeframe could change if the vulnerability is:

  • Being actively exploited
  • Reported by multiple sources to CERT-In or the affected vendor/ developer
  • Considered to be exceptionally serious (such as threatening public safety)
  • On agreement between the discloser, CERT-In, and the affected vendor/developer.

It may be noted that situations may arise where the issue is not resolved within 120 days, e.g. due to disagreement between vendor and discloser, non-response from vendor etc. CERT-In may consider to close the issue in such cases with intimation to the discloser or make the vulnerability public and stop the coordination effort with the vendor — Responsible Vulnerability Disclosure and Coordination Policy

Difficulties faced in reporting vulnerabilities: CIS

The Centre for Internet and Society which interviewed hackers for its report “Improving the Processes for Disclosing Security Vulnerabilities to Government Entities in India” in 2019, noted the following problems that they face while reporting vulnerabilities

Advertisement. Scroll to continue reading.

Process: Hackers said that it was difficult to identify whom to report a particular security vulnerability as Government websites in India do not often include contact information for the submission of security vulnerabilities.

Communication​: The report mentioned that there is a lack of clarity on what happens to a vulnerability report after it is submitted. “This results in a situation where security researchers invest a significant amount of time and effort to first report a vulnerability and then repeatedly attempt to follow up on whether it has been fixed,” it added.

Accessibility​: The process of submitting details regarding security flaws can sometimes itself pose a challenge.

Advertisement. Scroll to continue reading.

Also read:

Update, September 9, 12.44 pm: Added reactions in the form of tweets by V Anand

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ