Responsible Disclosure:
Dealing responsibly
with security vulnerabilities

In the course of their work, our IT security experts repeatedly identify unknown vulnerabilities in software products and handle this knowledge responsibly. With Responsible Disclosure, the DGC relies on a process that is well established in cyber security: Manufacturers are promptly supported in closing vulnerabilities, users of the affected product as well as the public are informed – and cyber attacks on companies are counteracted specifically.

Disclosure Policy: Our approach in detail

In order to sustainably harness the opportunities of digital transformation and minimize risks, the DGC identifies vulnerabilities in software products and network environments – even without a specific order. Once we have identified an unknown vulnerability, it will be published responsibly in this section of our website and may be entered in the CVE Directory for commonly known vulnerabilities.

Our approach is guided by the Coordinated Vulnerability Disclosure Guidance issued by the National Computer Emergency Response Teams (CERT):

The manufacturer will be informed in writing about the discovered vulnerabilities. Once it has provided a solution – or 28 days after being confidentially made aware of the vulnerability- the DGC will publish detailed information. The time frame can be extended if the manufacturer provides a written explanation and both have agreed on a new date for the responsible publication of the vulnerability.

In this way, we fulfill our objective to provide potentially affected users with timely and consistent information to protect them. At the same time, there is a fair compromise between public interests and those of the companies.

Current articles in the area of
Responsible Disclosure

  • 12.05.2021

    PwnDoc – Incorrect Access Control

    “PwnDoc is a pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report.The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users.” – Official README.md We at the DGC wanted to streamline our documentation and reporting processes and decided to …

    Weiterlesen …

  • 28.04.2021

    LivingLogic XIST4C (CMS) – XSS Vulnerability

    LivingLogic XIST4C (CMS) before 0.107.8. allows XSS XIST4C is a content management system developed and distributed by LivingLogic. The software is also known by the name living apps.  Cross Site Scripting (Reflected) The security flaw exists because the software does not neutralize user input before it is placed in output that is used as a web …

    Weiterlesen …

What is Responsible Disclosure?

If a security vulnerability in software products is discovered and verified, it is important to act for the sake of general cyber security. Security analysts use the Responsible Disclosure Process as standard: Details of a vulnerability are only published after a specific period of time has elapsed, during which a manufacturer is allowed to fix the problem itself. Communication with the manufacturer is encrypted during this time. Once the vulnerability is fixed, a detailed vulnerability analysis and recommendations for correcting the error – for example, through updates – will be ideally jointly published.

Full Disclosure vs. Responsible Disclosure?

In contrast to a Responsible Disclosure, unknown vulnerabilities that could be misused by cyber criminals are published immediately in a Full Disclosure. Those who choose this approach usually assume that the danger situation will be eliminated more quickly by public pressure and imminent loss of image.
Both approaches focus on transparence: Companies, users and the public should be informed so that they can prepare to security breaches – only the time of publication is different.

Follow us on