Vulnerability Disclosure Program

The goal of the NTT Security Vulnerability Disclosure Program (SVDP) is to distribute vulnerability information to the public in a controlled manner, following common industry practices associated with disclosing newly identified vulnerabilities. The vulnerabilities disclosed during this process have been identified by the Global Threat Intelligence Center (GTIC). It is not the intention of NTT Security to release vulnerability information before first attempting to contact the software or hardware vendor and discussing patch and remediation options.

NTT Security Vulnerability Disclosure Lifecycle

In lieu of pre-existing contractual arrangements, NTT Security follows a three step process for the NTT Security Vulnerability Disclosure Lifecycle (SVDL), as described below.

Step 1 - Vulnerability Discovery

During routine vulnerability research activities, it is possible that research being performed may result in the discovery of a vulnerability not previously disclosed publicly. Upon discovery of a new vulnerability, NTT Security will verify, using various open-source vulnerability databases, that the vulnerability has not been previously discovered or disclosed.

Vulnerability databases referenced for verification include but are not limited to the following resources:

Should NTT Security determine that the discovered vulnerability has not been previously discovered or disclosed, NTT Security will advance to Step 2 of the SVDL process.

Step 2 - Vendor Notification

The GTIC will attempt to contact the vendor via e-mail and notify them of the newly discovered vulnerability. As part of the process, NTT Security sends e-mails to multiple e-mail notification addresses at the vendor's primary e-mail domain. Unless a specific e-mail address is provided for vulnerability disclosures or security-related issues on the vendor's Web site, NTT Security sends the initial notification to the following e-mail aliases: security@, info@, sales@, support@, and security-alert@.

During this initial e-mail notification, NTT Security will indicate the plan to disclose the vulnerability according to a specific timeline. The vendor is encouraged to reply to the initial e-mail and work with NTT Security to determine a solution timeline. The timeline for release and notification is outlined in Step 3. The initial e-mail will also provide the vendor with information about the vulnerability, scope of vulnerability, disclosure timeline, and other useful information for reproducing the issues discovered. In cases where proof-of-concept (POC) exploit code is available, NTT Security will provide and securely transmit such information upon request to the vendor. This includes all code and information required to allow the vendor to verify the vulnerability and develop an appropriate solution.

Simultaneous with the vendor being notified, NTT Security may implement vulnerability detection and protection for its customers through the ActiveGuard® managed security service.

If the GTIC does not receive acknowledgement of the vulnerability or indication the e-mail was received and reviewed by the vendor, the GTIC will send a follow-up notification e-mail 15 calendar days after the initial notification e-mail. Additionally, the GTIC will attempt to contact the vendor via telephone if appropriate contact information is available. Should there be a lack of response from the vendor; NTT Security will still maintain the predetermined release schedule. All vulnerability releases follow the timeline as indicated to the vendor through this policy where possible.

Step 3 - Public Notification

Public notification and disclosure of the vulnerabilities discovered and reported to the vendor is an important part of the SVDL. NTT Security will publicly disclose the vulnerability information approximately 45 calendar days from the date NTT Security sends the initial notification of intent to release to the vendor.

Public disclosure will include the release of the vulnerability details on the NTT Security Web site. NTT Security will also release the vulnerability details through industry standard vulnerability database Web sites.

Regardless of vendor acceptance or validation of the vulnerability, the GTIC will release the vulnerability to the public upon completion of the steps defined above. Unless there are exceptional circumstances where the GTIC has determined a delayed public release period is warranted, NTT Security will follow the previously described disclosure process. All decisions regarding final public release status are made at the discretion of the GTIC.

Early Disclosure Guidelines

In certain cases it may become necessary to release the vulnerability details prior to the initial release schedule. Some of these cases may include but are not limited to the following:

  • Vendor releases a patch and acknowledges the vulnerability publicly in advance of the indicated timeline
  • Wide-spread exploitation of the vulnerability is evident
  • Media coverage about the vulnerability exposes the vulnerability to the public

NTT Security Vulnerability Disclosure Program Change Control

NTT Security updates the SVDP policies, processes, and procedures on a regular basis. NTT Security reserves the right to modify the policies and procedures associated with the program without notice to vendor. Vendors are encouraged to contact NTT Security should clarification of the disclosure policy be required.

For specific questions about the SDVL process, contact NTT Security or email us at us-info@nttsecurity.com

Learn More

Vulnerability Management services help organizations protect their infrastructure by discovering vulnerable systems and providing tools to manage the entire vulnerability lifecycle.

Related Information

NTT Security Vulnerability Disclosure Program

Download it now.