The issue of how to approach and deal with zero days has become the focus of an important ethical discussion within the security community and Fox-IT, as a security company, is squarely in the middle of this discussion. Within the framework of the company’s policy on corporate social responsibility, the ethics committee of Fox-IT has adopted a clear and transparent position with regard to zero days. This committee is composed of Fox-IT employees and has the support of management.
A zero day report enables a software supplier to resolve the vulnerability and this, in turn, contributes to a more secure infrastructure and therefore to a ‘more secure society’. In addition, there are situations in which an intelligence or investigation service can make use of a vulnerability to help in the investigation of criminal organizations, child pornography networks, or terrorists. Such actions also contribute to a safer and more secure society.
Our position with regard to the identification of vulnerabilities and delivery of services
If Fox-IT discovers an unknown vulnerability, within the framework of its own research or client contracts, it shares this information only with the supplier in question and when relevant, the client concerned. In general, Fox-IT acts in compliance with its company policy on zero days. In no case will Fox-IT keep information about unknown vulnerabilities secret or share it with additional third parties, including investigation or intelligence services.
Since it was founded in 1999, Fox-IT has never carried out a search for unknown vulnerabilities at the request of an investigation or intelligence service. However, we cannot rule out such a possibility in the future. If there is an acute and immediate threat to society or the public, and the intelligence and investigation services ask for Fox-IT’s assistance, the ethical committee of Fox-IT will advise based on a risk analysis. The management will always take the advice of the ethical committee into consideration. This has been formalized in the company’s policy on corporate social responsibility. When Fox-IT decides to assist intelligence and investigation services this will always be for ethical reasons, i.e. to contribute to a safer society, and never for motives of company profit.
Our policy with regard to unknown vulnerabilities
In the course of its work for clients or its own research activities, Fox-IT regularly (approximately 10 times a year) comes across (as yet) unknown vulnerabilities in hardware or software. If Fox-IT discovers a vulnerability in the course of its own research, it will always immediately inform the supplier concerned. If Fox-IT also has possession of the exploit code, it will also share this code with the supplier. If Fox-IT discovers the vulnerability while carrying out work for a client, the client is also involved in the process of disclosure. Fox-IT informs the client regarding any risks that the client may be exposed to as a result of the (as yet unknown) vulnerability and mitigation measures that could be taken as long as the vulnerability has not yet been resolved by the supplier.
In reporting vulnerabilities to suppliers, Fox-IT follows a procedure of coordinated disclosure. Fox-IT first contacts the supplier directly with the information and gives the supplier a reasonable amount of time, generally 30 days, to resolve the vulnerability. If the supplier does not resolve the vulnerability within the time frame specified, then Fox-IT publicly discloses the information about the vulnerability and mitigation measures.