Coordinated Vulnerability Disclosure

COORDINATED VULNERABILITY DISCLOSURE (CVD)

Finder: Individual or organization who has found a potential vulnerability.
O-RAN CVD Committee: Committee which, for each vulnerability report, triages the vulnerability, interacts with the Groups/Committees of the impacted specification(s) to resolve the vulnerability, and communicates on the progress of the handling of the vulnerability report with the Finder. Members of the CVD Committee are the O-RAN Executive Committee Board members, the O-RAN Office, Co-Chairs of the Security Work Group (WG11), and the Co-Chairs of the Group/Committee affected.
Vulnerability: Security weakness in O-RAN specifications based on O-RAN specifications that can be exploited to cause unintended behavior.

Once a vulnerability report is submitted by a Finder, it is shared with the O-RAN CVD Committee.
The O-RAN CVD Committee will triage the vulnerability and will engage relevant leadership and Group/Committee co-chairs within O-RAN ALLIANCE, based on the nature of the vulnerability and the impacted specifications. The Finder will receive an email from the O-RAN CVD Committee that the report has progressed to the impacted internal O-RAN Groups.
The impacted Groups will assess the vulnerability. During this process, the Finder may be contacted for further information. Based on the assessment, the vulnerability is either accepted or rejected based on its validity. In either case, the Finder is notified.
If the vulnerability report is assessed as valid, the impacted Groups/Committees work to create a resolution. The resolution is prepared and adopted using the O-RAN decision-making procedures, and the Finder is informed by email of the resolution.
O-RAN aims to have a plan to resolve all valid vulnerabilities within 90 days of reporting, although it may take longer to implement resolutions for complicated fixes.
If the Finder has opted-in to public recognition, he/she may be added to O-RAN's Public Reports.

Only share findings with O-RAN using the vulnerability report form, publicly available in web format at the web location listed in section “CVD Submission Form”.
Provide a Proof-of-Concept and/or sufficient information to enable reproduction of the vulnerability; this allows the vulnerability report to be verified and allows possible fixes to be proposed.
Submit vulnerabilities pertaining only to O-RAN specifications.
Treat the vulnerability information as confidential information until the CVD process is terminated. Do not disclose the vulnerability with other people until it has been resolved by O-RAN.
Not to use the vulnerability for exploitation beyond the minimum necessary to demonstrate the vulnerability, and not to leverage the vulnerability for financial gain.
Provide the name (real or an alias) and the email address so that O-RAN can get back to the Finder with the final answer.
Grant permission to O-RAN to pass the name and email to the Group(s)/Committee(s) as identified the most suitable for resolving the vulnerability.
Unless the Finder makes the declaration anonymously, O-RAN also asks whether the Finder wishes to be publicly identified as the author of the vulnerability report and listed in the O-RAN public recognition.

Accept reports from anonymous and named Finders.
Not share the Finder's details with third parties without the Finder’s authorization, unless legally required to do so.
Treat the vulnerability information as “need-to-know” confidential information until the CVD process is terminated. “Need-to-know“ is identified by the O-RAN CVD Committee.
Acknowledge the vulnerability report submitted by the Finder within 7 days of its submission, if the Finder is not anonymous.
Keep the Finder updated of progress through out the process, except when this is not possible due to the Finder engaging anonymously.
Aim to have a plan to resolve valid vulnerabilities within 90 days.

The vulnerability report will be handled in accordance with the O-RAN CVD Process as amended from time to time.
Disclosures to O-RAN's CVD Process must focus on O-RAN specifications.
Disclosures outside of this scope will not be addressed by O-RAN.
Disclosures will be treated as confidential information unless published.
As the O-RAN CVD Process is designed to benefit the security of O-RAN specifications, the O-RAN CVD Committee, the O-RAN Office and O-RAN Members, Contributors, and Academic Contributors do not warrant or assume any liability for the responsibilities of this process, or vulnerability resolutions, and any other activities or milestones set forth by O-RAN.
Each participant in this activity will engage in this offering without reliance or any representation and /or warranty of the other parties and all such representations and/or warranties are, to the greatest extent permitted by applicable law, hereby disclaimed.
Taking into consideration that O-RAN is a standards development organization, disclosures to the O-RAN CVD Process will not generate any financial compensation for the Finder.