Respon­sible Dis­closure:
Dealing respon­sibly
with security vul­ner­abili­ties

In the course of their work, our IT security experts repeatedly identify unknown vulnerabilities (so-called “zero-day” or “0-day”) or already known vulnerabilities and misconfigurations in software products, network environments and directly on the Internet. Our experts handle this knowledge very responsibly. With Responsible Disclosure, DGC AG relies on a process that is well-established in the cyber security world: manufacturers or operators are promptly informed about the existence of a vulnerability and supported with targeted information on how to close it. Users of the affected product or service and the public are then informed.

Disclosure Policy: Our approach in detail

  • In order to sustainably exploit the opportunities of digital transformation and minimize risks, DGC AG identifies vulnerabilities in software products, network environments or directly on the Internet – even without a specific order.
  • If we have identified a known or new vulnerability or even a misconfiguration, the manufacturer/vendor will be informed in writing about the discovered vulnerability and the necessary details and thus actively supported in closing this gap free of charge.
  • After the vendor/provider has provided a solution, the vulnerability has been closed, or at the latest 28 days after being made aware of the vulnerability in confidence, the DGC AG will publish detailed information at this point on our website. 
  • Furthermore, we enter the vulnerability in the CVE directory for generally known vulnerabilities. In addition, we inform the general public about this in relevant media. The time period can be extended if the manufacturer/vendor submits a written declaration for this and a new time for the responsible publication of the vulnerability is agreed.

Our approach is based on the Coordinated Vulnerability Disclosure Guidance issued by the national Computer Emergency Response Team (CERT). In this way, we do justice to our concern to provide potentially affected users with timely and consistent information to protect them. At the same time, there is a fair compromise between public interests and those of companies.

Current articles in the area of
Responsible Disclosure

  • dgc-responsible-disclosure-cve-2021-31590

    PwnDoc – Incorrect Access Control

    “PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report.The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.” – Official We at the DGC wanted to streamline our documentation and reporting processes and decided to …

    Weiterlesen …

  • dgc-responsible-disclosure-cve-2021-26122

    LivingLogic XIST4C (CMS) – XSS Vulnerability

    LivingLogic XIST4C (CMS) before 0.107.8. allows XSS XIST4C is a content management system developed and distributed by LivingLogic. The software is also known by the name living apps.  Cross Site Scripting (Reflected) The security flaw exists because the software does not neutralize user input before it is placed in output that is used as a web …

    Weiterlesen …

What is Responsible Disclosure?

If a security vulnerability in software products is discovered and verified, it is important to act for the sake of general cyber security. Security analysts use the Responsible Disclosure Process as standard: Details of a vulnerability are only published after a specific period of time has elapsed, during which a manufacturer is allowed to fix the problem itself. Communication with the manufacturer is encrypted during this time. Once the vulnerability is fixed, a detailed vulnerability analysis and recommendations for correcting the error – for example, through updates – will be ideally jointly published.

Full Disclosure vs. Responsible Disclosure?

In contrast to a Responsible Disclosure, unknown vulnerabilities that could be misused by cyber criminals are published immediately in a Full Disclosure. Those who choose this approach usually assume that the danger situation will be eliminated more quickly by public pressure and imminent loss of image.
Both approaches focus on transparence: Companies, users and the public should be informed so that they can prepare to security breaches – only the time of publication is different.

Follow us on