General information

Disclosure Alert, a public service offered by Edgewatch, aims to enhance the security and transparency of vulnerability reporting. As of April 30, 2024, Edgewatch has been officially designated as a CVE Numbering Authority (CNA) under the Common Vulnerabilities and Exposures (CVE) program. This designation authorizes Edgewatch to assign CVE identifiers and manage the publication of vulnerabilities within its defined scope. Our policy aligns with the best practices of the CVE program, ensuring that end users and organizations have access to mitigation mechanisms before a vulnerability is disclosed publicly.

Scope of Notification

Edgewatch’s CNA scope includes vulnerabilities in Edgewatch’s customers’ products or services and vulnerabilities in third-party software that Edgewatch discovers, provided those vulnerabilities are not within another CNA’s scope. These types of vulnerabilities should be reported directly to Edgewatch for evaluation and potential CVE assignment.

Excluded Cases

This policy does not cover vulnerabilities that already have a CVE identifier assigned and published, or those within another CNA’s scope. In such cases, reporters should contact Edgewatch’s incident reporting section for appropriate follow-up and mitigation.

Reporting a Vulnerability to Edgewatch’s CNA

To submit a potential CVE candidate to Edgewatch, you must complete our Report Vulnerability Form. This form will guide you through the entire CVE assignment and publication process. To maintain the confidentiality of the information being transmitted, it is highly recommended that all communication be encrypted using the provided public PGP key, which can be downloaded from our site.

The accepted language for vulnerability submissions is English, and any information exchanged with Edgewatch will be handled in accordance with Edgewatch’s Personal Data Protection Policy.

CVE Assignment and Publication Process

1. Receipt and Acknowledgment
   After the submission of a vulnerability report, Edgewatch will confirm receipt within three working days and initiate communication with the reporter to discuss the details of the vulnerability.
2. Timeline for Assignment and Publication
   The timeline for the assignment and publication of a CVE identifier will be agreed upon between Edgewatch, the reporting researcher, and the organization responsible for the affected asset. This agreement ensures that a solution is actively being developed before the vulnerability is made public.
3. Extended Assignment Periods
   If additional time is needed to implement a solution, the agreed-upon timeline may be extended, provided the involved parties demonstrate continued progress toward resolving the vulnerability.
4. Disclosure Practices
   Edgewatch will not publicly announce a CVE until a mitigation or correction is available, provided a solution is in progress. However, if the CVE is deemed highly likely to be exploited or has a significant impact, Edgewatch reserves the right to notify other interested parties before the CVE is formally assigned and published.
5. Default Publication Timeline
   If the responsible party fails to provide sufficient evidence of remediation within 60 days of the agreed-upon timeline, Edgewatch reserves the right to assign and publish the CVE without further delay. This ensures timely disclosure and protects the security of users and systems.

Communication Protocols and Data Protection

All communication between Edgewatch and the reporting party must adhere to the highest standards of confidentiality. To ensure the security of sensitive information, reporters are encouraged to encrypt all correspondence with Edgewatch’s public PGP key. Edgewatch will handle all submitted data in compliance with its Personal Data Protection Policy, ensuring the protection of personal and sensitive information throughout the disclosure process.