Disclosure Policy

 

 

HackRTU joins MITRE's CVE Program as a ResearchER CNA

 

 

 

HackRTU is part of the MITRE CVE Program as a Research CNA.

Our team's experience in vulnerability discovery, reporting, and management has allowed HackRTU to join this program with INCIBE as a Root-CNA since July 2025.

HackRTU, as the entity responsible for addressing zero-day vulnerabilities found in research projects or with clients, provides the following Disclosure Policy. Through this policy, HackRTU wishes to highlight its ethical commitment to addressing vulnerabilities, based also on its mission, vision, and values.

 

Disclosure

 

Following the discovery of a vulnerability, HackRTU will attempt to contact the affected parties. Whether the vulnerabilities were detected in research projects or in specific projects with clients, the action plan will be coordinated with both the suppliers and the clients themselves.

Initially, contact will be made via email to the affected supplier or through any secondary mechanism enabled by the supplier, provided that it meets the minimum-security standards for communications of this nature.

In addition, the following points should be taken into account, which determine the timing of the disclosure process:

  • If a deadline falls on a Spanish holiday or weekend, the deadline will be moved to the next business day.

  • HackRTU has 72 hours to respond to a reported vulnerability.

  • HackRTU gives vendors four weeks (28 days) to respond to the reported potential vulnerability. If, after that time, no response has been received, HackRTU will inform the vendor that the vulnerability will be made public after another 28 days.

  • If the vendor provides a response to HackRTU , there will be a 90-day period after the first contact for the vendor to provide a solution to the problem.

  • If, after the first contact, the vendor does not respond within the stablished 90 days, HackRTU will inform the vendor that the vulnerability will be made public after another 28 days.

  • If the vendor fixes the security issue, HackRTU will wait 15 days after the patch is released before publishing the detected vulnerability.

 

It's worth noting that, based on our commitment to improving the security of industrial devices and helping the community, HackRTU will take into account various aspects and will always try to help vendor and researchers ensure that vulnerability reporting and disclosure is done in an ethical and responsible manner.

 

Vulnerability notification

 

HackRTU researchers reporting a vulnerability to the HackRTU CNA must comply with and review the following terms and conditions when reporting the vulnerability.

  • The vulnerability must be reported in encrypted form to the following email address: cve.coordination@hackrtu.com
  • A report must be included with the following relevant and organized information:
    • Title of the detected vulnerability.
    • Model or serial number of the device or software believed to be affected.
    • Version of the industrial device or software analysed.
    • Description of the security issue detected.
    • Detailed description of the exploitation process to allow for reproducing the potential issue. The inclusion of videos or screenshots is recommended.
    • Impact or result of the attack.
    • Possible mitigations to be implemented by the manufacturer or supplier.
    • CVSS 4.0, CAPEC and CWE.
    • Authors.

 

The HackRTU PGP for encrypted email communications is provided below.

 

PGP

 

Following the report by the researcher, HackRTU will contact you following the deadlines established in this policy and providing a tracking number.

 

Identification of vulnerability

 

HackRTU reserves the right to determine whether the information provided by researchers is valid and sufficient for reporting the vulnerability and also reserves the right to determine whether or not it constitutes a vulnerability.

If a vulnerability is determined, the process explained above will be followed, always in conjunction and coordination with the affected vendor and the researcher who detected the vulnerability.

 

Publication

 

To ensure the ICS community is notified of discovered vulnerabilities, HackRTU will make every effort to ensure that the CVE ID is assigned and published. If the vendor is not a CVE Numbering Authority (CNA), HackRTU will reserve the CVE ID after the vendor confirms the security issues.

The CVE assignment will be shared with the vendor as soon as possible. Once the advisories are made public, MITRE and, where appropriate, national computer emergency response teams will be notified.