ECCSA offers support for vulnerability disclosure to individuals, attempting to coordinate with the affected vendor and the various stakeholders.
In line with the indication given in the ICAO cyber strategy, this support service is established to enable cooperation with ‘good faith’ security research activities, which are research activities carried out in an environment designed to avoid affecting the safety, security and continuity of civil aviation.
Vulnerabilities reported to ECCSA are assessed by a Technical Task Force, involving sector relevant experts, who performs an initial verification of the legitimacy of the discovered issue, as well as determines the potential impact. If the vulnerability will be confirmed, ECCSA will grant a safe harbour for good faith reporters and full support to get in contact with the affected vendors. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter.
It is the goal of this process to balance the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively. The process steps, as well as the appropriate timeframe for mitigation development and the schedule of disclosure will be determined based on the factors involved, acting in the best interests of the community overall. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to an established standard may result in earlier or later disclosure.
Request Assistance for Vulnerability Disclosure
The following form allows sending a request of assistance for vulnerability disclosure by providing some initial information. Please do not include sensitive information about the vulnerability in the following fields; you will be given proper instructions to provide further details.
Please provide an overview of the discovered vulnerability or multiple vulnerabilities without sharing sensitive technical details. A detailed report will be requested afterword.