The Coordinated Vulnerability Disclosure (CVD) process has been in place in the TIM Cyber Security department since 2019 and has been integrated into ethical hacking and bug hunting activities.
The Coordinated Vulnerability Disclosure represents an ethical approach to disclosing zero-day vulnerabilities, i.e., security bugs that are still unknown to developers and potentially exploitable before dedicated patches are released.
Through this process, the bug hunter discloses the identified vulnerabilities to vendors confidentially, granting them time to implement a security patch before the public disclosure.
This method strengthens the collective response to cyber threats, reducing the risk of malicious actors exploiting these critical vulnerabilities.
At TIM, we continuously work to promote the responsible disclosure of vulnerabilities, supporting vendors in identifying and resolving emerging threats and offering numerous benefits, such as:
- System administrators are incentivized to promptly install security patches once bugs are made public;
- Perimeter protection vendors can update their policies to intercept and block new malicious payloads;
- Vulnerability Assessment tool vendors can update their products to detect new vulnerabilities;
- Other vendors have the opportunity to verify whether the same criticality affects their own products, such as in open-source libraries.
This page compiles and updates the bug hunting work done by TIM: vulnerabilities are disclosed to public only after the vendor has released the security patch and agreed to share the details.
This approach helps build a more secure and collaborative ecosystem, both nationally and internationally, where responsible vulnerability sharing becomes a fundamental pillar in the fight against cyber threats.
