1. General information
1.1. With the information report “On the Implementation of a Coordinated Vulnerability Disclosure Process in State Administration”, the implementation of a Coordinated Vulnerability Disclosure Process in the State Administration has been initiated, providing for the opportunity for Latvian state and local government institutions to voluntarily participate in the Coordinated Vulnerability Disclosure Process.
1.2. The Vulnerability Reporting Platform (hereinafter referred to as – the Platform) is maintained by CERT.LV, which fulfils the role of coordinator and mediator of the Coordinated Vulnerability Disclosure Process, platform developer, maintainer and manager.
1.3. The processing of personal data on the Platform is carried out in accordance with the CERT.LV personal data processing procedures.
1.4. The Platform uses cookies. The use of cookies is carried out in accordance with the CERT.LV Cookie Policy.
2. Definitions
2.1. The following definitions are used in this document:
2.1.1. CERT.LV responsible officer: A CERT.LV employee who monitors and administers the Platform.
2.1.2. Participant: platform user – Security Researcher, CERT.LV responsible officer and Representative of the Institution.
2.1.3. Security Researcher: a natural or legal person who has discovered a vulnerability and is involved in a Coordinated Vulnerability Disclosure Process (e.g., providing ICT support or systems maintenance services to the Institution and/or creating, delivering, implementing or maintaining any type of software or technical components).
2.1.4. Institution: A state or local institution in the Republic of Latvia that has engaged in a Coordinated Vulnerability Disclosure Process and is the manager of a resource included in the Platform.
2.1.5. Representative of the Institution: the person designated by the Institution as a main person responsible for the Coordinated Vulnerability Disclosure Process (e.g., the person responsible for information technology security management) or as an additional programme manager.
2.1.6. Programme: information regarding Institution’s ICT resources that is provided by the Institution on the Platform, as well as specific guidance, requirements and restrictions regarding the tests to be carried out.
2.1.7. Resource: an ICT resource of an Institution included in the testing area and available for vulnerability testing as part of a Coordinated Vulnerability Disclosure Process.
2.1.8. Resource manager: the owner, holder, possessor of the ICT resource or person in control of the resource to be tested.
2.1.9. Cooperation partner: European Union and Latvian institution, CERT network member, software and technological equipment manufacturer, and other actors involved in the Coordinated Vulnerability Disclosure Process with whom the institution and/or CERT.LV cooperates.
3. Registration on the Vulnerability Reporting Platform
3.1. In order to participate in the Coordinated Vulnerability Disclosure Process and to submit a vulnerability disclosure report, a Participant shall register on the Platform.
3.2. The Participant shall fill in the registration form and include the following information: name, surname, username, e-mail address, password and role on the Platform.
3.3. When registering on the Platform, the Representative of the Institution shall provide full and truthful information and the e-mail address allocated by the Institution; The information is used for verification purposes to ensure that the Institution is represented on the platform by a person authorised by the Institution.
3.4. In order to ensure the anonymity of the Security Researcher, it is permissible to enter free-form characters in the name and surname fields, as well as a username and e-mail address that do not allow the Security Researcher to be identified.
3.5. By completing the registration form, the Participant shall confirm that he/she has read the Terms of Use of the Vulnerability Reporting Platform and the CERT.LV Personal Data Processing Policy.
3.6. CERT.LV provides verification of Participants. The Participant will receive confirmation of registration to the e-mail address provided and can complete registration on the Platform.
3.7. The CERT.LV responsible officer shall check the registration form submitted by the Participant, including the Representative’s relationship with the registered Institution. If the verification is successful, the Representative of the Institution will receive confirmation of registration to the e-mail address provided and can complete the registration process on the Platform.
3.8. The Participant is responsible for the accuracy and currency of the data entered and undertakes not to use the identity of another person.
4. Vulnerability Reporting Platform
4.1. The Platform is intended for registering and processing of vulnerabilities of ICT resources of Latvian state and municipal institutions.
4.2. The Platform is available online 24/7 and supports efficient, transparent recording, processing of vulnerabilities and collaboration of the parties involved.
4.3. The Platform contains information on the resources to be tested (section “Programmes”) submitted by the Institution involved in the Coordinated Vulnerability Disclosure Process, as well as specific guidance, requirements and limitations regarding the tests to be performed.
4.4. The publicly accessible “News” and “FAQ” sections of the Platform provide detailed information and answers to frequently asked questions.
5. Basic Principles of the Vulnerability Reporting and Disclosure Process
5.1. The Representative of the Institution shall register the Institution’s resources available for testing within the Coordinated Vulnerability Disclosure Process on the Platform and ensure the processing of the submitted vulnerability reports, involving additional programme managers and CERT.LV where necessary.
5.2. When planning to conduct security research of a resource, the Security Researcher shall select the appropriate Programme on the Platform and familiarise himself/herself with the rules of participation.
5.3. A Security Researcher shall register a discovered vulnerability on the Platform by selecting the appropriate Institution and Programme.
5.4. In cases where the Security Researcher is unable to find a Programme corresponding to the identified vulnerability on the Platform and is otherwise unable to inform the Representative of the Institution about the vulnerability, or communication with the Representative of the Institution has been unsuccessful, the Security Researcher shall have the right to register the vulnerability on the Platform in the CERT.LV Client Vulnerabilities programme.
5.5. When submitting a vulnerability report, the Security Researcher shall provide as much information as possible that could be useful for confirming vulnerability and conducting detailed research.
5.6. The Platform has the option to save a draft vulnerability description and submit a vulnerability report later.
5.7. The Representative of the Institution shall assess the vulnerability report upon receipt. The Representative of the Institution shall, if necessary, clarify the information provided by sending questions to the Security Researcher.
5.8. The Representative of the Institution or a Security Researcher can involve CERT.LV in the processing of the report by adding it as a Participant to the vulnerability report.
5.9. The recommended timeframe for vulnerability remediation is 45-90 days, taking into account the complexity of the vulnerability and the criticality of its impact.
5.10. In a Coordinated Vulnerability Disclosure Process, the parties involved agree on the scope of the information to be disclosed in relation to the identified vulnerability, taking into account the balance between the public’s right to information and the protection of the Institution’s interests, in order not to cause additional risks and losses to the Institution, as well as to effectively respond and prevent related risks.
5.11. Before disclosing information about an identified vulnerability, CERT.LV shall assess the content of the information (e.g., the vulnerability should not be publicly disclosed, the vulnerability should be reported as soon as possible after its discovery, etc.).
5.12. If a vulnerability report is received through the CERT.LV Client Vulnerabilities programme, CERT.LV shall evaluate the submitted report. If the information meets the vulnerability criteria, CERT.LV shall start the vulnerability processing and identify the manager of the resource. If the information sent is not identified as a vulnerability, CERT.LV shall reject the report.
5.13. The vulnerability report shall only be processed by the actors involved. The information shall not be made public until the issue is resolved.
5.14. When CERT.LV receives information about a vulnerability that has already been registered on the Platform, it shall inform the Security Researcher that the vulnerability has already been registered.
5.15. Vulnerability information published on CERT.LV shall also include recognition for the Security Researcher, unless the Security Researcher has indicated otherwise. The vulnerability shall be previously unidentified and serious enough to receive recognition for its discovery.
5.16. In the case of a serious vulnerability, CERT.LV can help the Security Researcher to register the vulnerability in the Common Vulnerabilities and Exposures (CVE) registry.
6. Rights and obligations of a Security Researcher
6.1. The Security Researcher shall comply with the terms, conditions and restrictions of the Programme.
6.2. The vulnerability report shall be registered by the Security Researcher in the appropriate Programme.
6.3. If the Security Researcher is testing resources, before each iteration of testing, the security Researcher shall open the Institution’s Programme and verify that no changes have been made to the permitted testing activities (e.g., denied testing or changed requirements). The additional requirements to be met by the Security Researcher shall be laid down by the Institution in the Programme description.
6.4. After submitting the report, communication with the Security Researcher takes place on the Platform by adding information to the comments of the report, which is sent to the e-mail address specified by the Security Researcher after saving the comment.
6.5. The Security Researcher shall respond to questions about the submitted vulnerability report in a timely manner.
6.6. The Security Researcher is not authorised to take any action that would be detrimental to the Institution by exploiting a vulnerability discovered.
7. Rights and obligations of the Representative of the Institution
7.1. The Institution can be represented on the Platform by:
7.1.1. a person responsible for information technology security management;
7.1.2. a person designated by the Head of the Institution or a person responsible for information technology security management.
7.2. Institutions shall be obliged to cooperate with CERT.LV in the process of vulnerability detection and remediation, and the Representative of the Institution shall:
7.2.1. update the information regarding the Institution and the Representative of the Institution;
7.2.2. review and update the Programmes;
7.2.3. specify the conditions for testing the Programme;
7.2.4. respond to vulnerability reports, questions and comments received on the Platform in a timely manner;
7.2.5. decide on the involvement of CERT.LV or other persons in the processing of the vulnerability report, as well as specify the amount and type of assistance required;
7.2.6. participate in solving issues related to vulnerability remediation and cooperate with other involved parties, including by sending notices to the customers, etc., affected persons;
7.2.7. inform CERT.LV and the Security Researcher about the progress of vulnerability remediation;
7.2.8. inform CERT.LV of any problems observed in the operation of the Platform;
7.2.9. inform CERT.LV if the Institution has decided to discontinue participation in the Coordinated Vulnerability Disclosure Process.
7.3. The Head of the Institution shall have the right to change any Representative of the Institution on the Platform by sending a request to cvd@cert.lv.
7.4. The Institution shall post information on its website regarding its involvement in the Coordinated Vulnerability Disclosure Process, as described in Chapter 3 of the Information Report “On the Implementation of a Coordinated Vulnerability Disclosure Process in the State Administration”.
8. Rights and obligations of CERT.LV responsible officer
8.1. CERT.LV responsible officers provide support to participants.
8.2. CERT.LV shall use its e-mail address (cvd@cert.lv) to communicate about the implementation of the Coordinated Vulnerability Detection Process, the use of the Platform, possible improvements and information notifications.
8.3. Before publishing an Institution’s Programme, the CERT.LV responsible officer shall review the Programme description prepared by the Representative of the Institution where information on the resources to be tested and other specific requirements is provided. CERT.LV shall have the right to ask questions and request clarification of the Programme description.
9. Termination of Participation in the Coordinated Vulnerability Disclosure Process
9.1. The Institution or Security Researcher shall inform CERT.LV of the termination of participation in the Coordinated Vulnerability Disclosure Process by sending an application to CERT.LV.
9.2. Upon the receipt of such application, CERT.LV shall terminate the participation of the Institution or Security Researcher in the Coordinated Vulnerability Disclosure Process and suspend the user’s account on the Platform.
10. Dispute resolution procedure
10.1. If disagreements or disputes arise between the parties involved in the Coordinated Vulnerability Disclosure Process, the parties shall endeavour to resolve them through negotiation, in accordance with the procedures established by the legislation of the Republic of Latvia.
1. Controller of the data processing
1.1. Controller of the data processing of CERT.LV is:
Name: Institute of Mathematics and Computer Science, University of Latvia
Registration number of the scientific institution: 381013
Tax Identification Number: 90002111761
Address: Raiņa bulvāris 29, Riga, LV-1459, Latvia
Tel.: +371 67085888
E-mail address: cert@cert.lv, cert@cert.gov.lv
2. Data Protection Officer
2.1. CERT.LV personal data protection officer – tel. +371 67085888, e-mail cert@cert.lv.
3. Purpose and legal basis for data processing
3.1. In the CERT.LV Coordinated Vulnerability Disclosure Process, data processing takes place on the basis of Article 5, Section 1, Clause 20 and the Section 3 of this Article of the National Cyber Security Law, as well as Articles 39 and 40 of this Law, which corresponds to Article 6, Part One, subparagraph e) of the General Data Protection Regulation - the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested regarding CERT.LV.
3.2. The processing of user data provided on the Vulnerability Reporting Platform is necessary to ensure the Coordinated Vulnerability Disclosure Process, including to implement the coordination of vulnerability disclosure in Latvia and to ensure the transfer of discovered information about vulnerabilities to the manager of the specific Information and Communication Technologies (hereinafter referred to as – ICT) resource.
3.3. By registering on the Platform, the Participant agrees to be bound by the Platform’s terms and conditions and personal data processing procedures.
3.4. The Participant is aware that CERT.LV processes the Participant’s personal data – name, surname, username, e-mail address and IP address – with the purpose of:
3.4.1. registering a Participant’s account;
3.4.2. identifying the visitor as a registered Participant;
3.4.3. registering the visit and the actions taken on the Platform;
3.4.4. ensuring coordination between all actors involved, including the receipt of platform notifications (e.g., receipt of a new vulnerability report, changes to the description of an Institution’s vulnerability reporting programme, addition of a comment, etc.);
3.4.5. ensuring that information received about vulnerabilities is passed to a Representative of the Institution.
3.5. The following personal data may be processed by CERT.LV in connection with the processing of vulnerability reports:
3.5.1. personal data contained in the vulnerability report or its annexes;
3.5.2. information contained in the comments of the vulnerability report – correspondence between the actors involved in the vulnerability processing.
3.6. A vulnerability report may contain personal data related to a specific vulnerability, but not personal data of the Security Researcher.
3.7. The Security Researcher has the right not to provide his/her personal data in the vulnerability report.
3.8. The Representative of the Institution and the Security Researcher are responsible for the data they add to the Platform, ensuring that only the data necessary to demonstrate the vulnerability is added. If necessary, the Participant shall consult his/her own or CERT.LV’s data protection officer.
4. Potential recipients of the data
4.1. CERT.LV has the right to disclose the personal data of participants:
4.1.1. if the information on personal data is requested by the data subject and CERT.LV has the possibility to verify the identity of the information requester;
4.1.2. if information on personal data is requested in writing by an authorised state or local government institution in the cases and in accordance with the procedures established by the laws and regulations of the Republic of Latvia;
4.1.3. if the data subject has consented to the transfer of the personal data to another processor;
4.1.4. if a Representative of the Institution requests information about the Institution and its contact persons.
4.2. Participants have the right to request information about third parties who have received information about the Participant, unless otherwise provided by the laws and regulations of the Republic of Latvia.
4.3. CERT.LV has the right to disclose vulnerability data (which may contain personal data) received:
4.3.1. in cases where the vulnerability also affects another Member State of the European Union, the Information Technology Security Incident Response Institutions (units) of other countries;
4.3.2. to service providers directly related to the maintenance of the vulnerable ICT resource, including information systems, or related to the provision of maintenance services, and/or service providers who ensure the creation/delivery/implementation/maintenance services regarding any type of software or technical components;
4.3.3. to the European Union Agency for Cybersecurity, where appropriate;
4.3.4. if the information is requested in writing by authorised state institutions in the cases and in accordance with the procedures established by the laws and regulations of the Republic of Latvia.
5. Access to personal data and data portability
5.1. The Participant can access and update his/her data by logging in to the Platform.
5.2. The Participant has the right to receive the data CERT.LV holds about him/her in a machine-readable format.
6. Rectification, deletion of data or restriction of data processing
6.1. In the case of data changes, the Participant is obliged to update the data on the Platform or notify CERT.LV of the necessary changes.
6.2. If a Participant wishes to delete his/her data, a request shall be sent from the e-mail address provided on the Platform to the email address cvd@cert.lv. CERT.LV verifies the authenticity of the request before making changes.
6.3. If a Participant has not logged in to the Platform for more than one year, the Participant’s access to the Platform is automatically blocked.
6.4. After the suspension of the user’s account on the Platform, CERT.LV shall keep the personal data of the Participant for a maximum period of 5 years.
6.5. CERT.LV stores the data regarding vulnerabilities logged in the Vulnerability Reporting Platform for a period of 5 years after the vulnerability report has been resolved.
7. Lodging a complaint
7.1. The Participant has the right to lodge a complaint with the Data State Inspectorate regarding an alleged personal data breach.
The vulnerability reporting platform (cvd.cert.lv) processes functional cookies.
