As part of its CVD process, CERT-Bund contacts product managers or manufacturers in order to remedy vulnerabilities reported to the BSI/CERT-Bund that affect an IT product, IT system or web application of your company. If you are not sure, you can contact the official availability of the BSI and ask for mediation/clarification.

If a company has not published a recognizable IT security contact on their website, the BSI will try to get in touch with you via the contact address that is provided on the manufacturer website. For e-mail, these represent e.g. data protection or info@ e-mail addresses. We strongly recommend that companies provide a security.txt (RFC9116) and offer a dedicated IT security contact on their own company website. Further information can be found in the publications of the BSI, e.g. at https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/Webs/ACS/DE/BSI-CS/BSI-CS_019.pdf.

After receiving the vulnerability report, you should forward it to the responsible department in your company and then confirm receipt of the vulnerability report to the BSI/CERT-Bund within three working days (via telephone or e-mail). You can then work on editing/fixing the vulnerability. When fixing and creating patches/mitigation measures, you should always pay attention to the disclosure date that may have been set. If the security researcher sets a deadline, the BSI will inform you of this as part of its notification. It is important that you confirm communications in a timely manner throughout the process and keep everyone involved informed.

At the end of the CVD process, a security advisory is usually published. For this purpose, the BSI recommends using the CSAF standard with the "Security Advisory" profile.

The Common Security Advisory Framework (CSAF) addresses two problems with security advisories: On the one hand, it specifies how security advisories can be found. On the other hand, it specifies the structure and format for security advisories.

This makes it easier for users to find and evaluate them. In addition, a human-readable advisory can be easily generated from a CSAF document. For example, online tools such as Secvisogram can be used for the creation.

One of the biggest challenges in the CVD process is identifying the right person to contact. The manufacturer can proactively support security researchers and coordinating bodies by providing their relevant contact details in accordance with the international standard RFC9116.

The BSI recommends the use of functional mailboxes. A distinction should be made in the functional mailboxes between the infrastructure vulnerability team (e.g., a cross-site scripting (XSS) vulnerability in the company's website) and the product vulnerability team (e.g., remote code Execution (RCE) in a product that the company sells/manufactures). While the address "security@domain.tld" or "cert@domain.tld" can also be used for the former according to RFC 2142, a separate address, for example "productsecurity@domain.tld" or "psirt@domain.tld” can be used. An OpenPGP key should be specified for each address specified in order to enable encrypted communication.

Dealing openly with vulnerabilities rather represents a quality feature. It is common knowledge that vulnerabilities are found in products repeatedly. Dealing with it is crucial. Users can only use this information to carry out a risk assessment for their own application if security advisories are published. In this way, you also protecting your customers by providing this information.

In order to identify vulnerable components, it is advantageous to be able to determine whether all products are affected. It can happen, for example, that a vulnerability was only reported for product X, but due to the components used, product Y can also be affected by the vulnerability. The use of SBOM is helpful in order to be able to rule out such a concern.

Open and friendly communication, as well as justification of how this assessment was obtained, is extremely important. A conference call with all parties involved is also a good way of doing this, so that direct inquiries can also be clarified.