Quokka Vulnerability Disclosure Process

Quokka Security Researchers often uncover vulnerabilities in devices using the iOS and/or Android operating systems. These vulnerabilities maybe in chip sets, system software, firmware, or applications installed on the device. This document outlines how Quokka will disclose these discovered vulnerabilities to all affected vendors.

A Vulnerability Disclosure Program (VDP) is the digital equivalent of “if you see something, say something.” Many manufacturers and developers have a process for third parties to report a vulnerability found in their products. If your organization does not have a VDP, and it is highly recommended to have one, a template can be found here:

https://www.ntia.doc.gov/files/ntia/publications/ntia_vuln_disclosure_early_stage_template.pdf

This document is different from a standard VDP in that it outlines how Quokka will disclose vulnerabilities found by Quokka, not how to report vulnerabilities to Quokka.

Quokka also discloses vulnerabilities to CISA using the DHS CISA Coordinated Vulnerability Disclosure process (https://www.cisa.gov/coordinated-vulnerability-disclosure-process).

It is often the case that a vulnerability is found in a subsystem made by a third party such as a chip manufacturer or system software developed by a third party. In these cases, the vulnerability may be present in many devices made by several unrelated manufacturers. In this case, Quokka will follow the process described below for each affected vendor.

Once a vulnerability is found and verified by the research team, Quokka will follow these steps:

Quokka will search the websites of all affected parties for a VDP and attempt to establish communication with the vendor three times.

• The initial attempt (Start Time).
• A second attempt no less than one week after the initial attempt.
• A third attempt no less than two weeks after the initial attempt.

If an adequate response is not received from the vendor within 45 days of the initial attempt, Quokka will disclose to CISA. Quokka may then disclose publicly after disclosing to CISA.

If the party with the vulnerability does reply, then Quokka will work with the organization by providing additional information on the vulnerability.

Quokka is committed to a safer online environment and will work with any vendor who is committed to fixing the issue. This includes, but is not limited to, sharing of information and further discussion of the issue. In return, Quokka excepts prompt communication back from the vendor including timeline information regarding remediation.

Quokka will publish a Security Advisory with all appropriate technical details concerning the vulnerability. Quokka prefers to work closely with the vendor and may extend the 45-day timeline if the Vendor requires more time to release a fix, but Quokka may still issue the advisory whether the vendor has released a fix or not. This is the schedule Quokka follows for issuing the Security Advisory:

• The Security Advisory will be released publicly 45 days after the vendor was contacted (Start Date) unless otherwise agreed with the Vendor.

• If the vendor does release a patch, security advisory, or any other information regarding the vulnerability either publicly or to any of its partners or customers prior to the 45-day timeframe, Quokka may release a Security Advisory prior to its planned disclosure date.
• If Quokka finds the patch to be inadequate in any form, Quokka will attempt to notify the vendor and work with them on remediation, but Quokka may issue notice of inadequacy after 7 days of the patch being released if they deem this information needs to be shared.
• If Quokka becomes aware that the vulnerability is being actively exploited, Quokka may issues a Security Advisory earlier than the planned 45-day schedule.