Fathom5 both builds and deploys novel information and operations technologies (IT/OT) as well as works with our partner and clients existing technology stack to help ensure the safe and secure operations of those technologies. As such, Fathom5 is both the potential recipient of vulnerability information about its own technologies as well as an entity that conducts the security evaluation of other organizations’ technologies on behalf of our partners and clients.
As both a potential beneficiary and producer of vulnerability-related insights, Fathom5 aspires to be a transparent, cooperative partner across all aspects of coordinated vulnerability disclosure. This policy is a description of how Fathom5’s vulnerability disclosure program operates as well as describing how Fathom5 intends to engage with second and third-party entities that produce technologies that Fathom5 engineers may discover vulnerabilities in.
As an OT company, Fathom5 often works with systems that are safety critical. Safety critical systems are increasingly dependent on software, and therefore increasingly subject to software security issues. Coordinated vulnerability disclosure directs energy and attention into improving the safety and security of systems and software for the overall population. Compared with traditional IT systems, manufacturers of OT systems have a higher consequence of failure—due to the potential for physical impacts--and relatively less experience with vulnerability disclosure. High trust, high collaboration interactions come from understanding mutual expectations and perspectives.
When software is a dependency for operational technology, the consequences of security failure may manifest in direct, individual harm, including loss of life. Exploitation of such vulnerabilities can shatter confidence in the firm, market, and/or service. Adversaries that target OT may intend to cause deliberate physical harm and criminal groups are keen to attack sectors likely to pay higher ransoms due to the high cost of operational disruptions to control systems and other operational technologies upon which an organization may depend.
Operational technology elements such as sensors, programmable logic controllers, low power chips, embedded controllers, limited battery life, etc., limit capabilities available to the manufacturer in design and response. Fathom5 is in the business of facilitation the implementation of technologies that make operations technologies easier and safety to upgrade and secure. Even when we are not able to provide such services to our partners, we believe that all parties benefit from an awareness of vulnerabilities because it affords the legitimate operators of these technologies to mitigate risks associated with these vulnerabilities as appropriate.
Operational technology often exists in unique operational, environmental, physical, network, immediacy/real-time, and legal contexts. For example, ships rarely have embarked IT or OT security professionals on-board but are required to be self-sufficient in the safe, secure operation of all components of the vessel, and may be subject to any number of regulatory regimes based on location, cargo, crew composition, and insurance mandates. Further, if shipboard OT systems are affected then
the seaworthiness of a vessel may be at risk, which can have a range of financial and safety-related impacts.
Thus, Fathom5 approaches cybersecurity as a platform-wide mandate, requiring an awareness of potential vulnerabilities across the range of interconnected devices present in a system-of-systems. We make every effort deploy technologies are built secure, patched when necessary, and degrade gracefully, because we know that the security of our products is integral to the safe and secure operation of automated technologies.
Coordinated vulnerability disclosure means that the remediation of discovered vulnerabilities is sequenced with the public disclosure of the discovery such that the safe, secure operation of systems and networks are maintained and the risks of exploitation by nefarious actors are minimized. It allows for security researchers and others to share their findings with their peers and the public, while also allowing system developers, owners, and operators the ability to minimize security risks.
To report a security vulnerability in a Fathom5 technology, please contact us using one of the ways described in the “Contact Us” section of this policy. Fathom5 will strive to respond within two business days of a vulnerability-related message.
When you message us, please include the following information:
Fathom5 encourages all parties to report discovered vulnerabilities, regardless of service contracts or product lifecycle status. We welcome vulnerability reports from academic groups, capture-the-flag competitors, researchers, industry groups, CERTs, partners, and any other source as Fathom5 does not require a nondisclosure-agreement as a prerequisite for receiving reports. Fathom5 will respect the interests of the reporting party (allowing anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to a Fathom5 technology. Fathom5 urges reporting parties to perform a coordinated disclosure, as immediate public disclosure causes a ‘0-day situation’ which puts Fathom5’s customer systems at unnecessary risk. These technologies help assure everything from national security to global trade and we believe the continued, safe operation of these systems is in the best interest of all concerned.
Upon notification, Fathom5 will investigate and attempt to replicate the vulnerability in our labs. If needed, Fathom5 will continue to engage the reporter of the vulnerability to ensure an accurate understanding of the reported vulnerability.
Fathom5 will perform internal vulnerability handling and/or coordination with second-party technology providers. Any affected national security entities that utilize affected technologies may be notified of a security issue in advance of remediation and/or public disclosure.
During this period of time, Fathom5 will remain in contact with the disclosing party to provide updates about status and to ensure visibility of the disclosing party in Fathom5’s position on the disclosure. If developed, pre-releases of fixes may be provided to the reporting party for verification.
After a fix, remediation, or control has been developed for the discovered vulnerabilities, Fathom5 will notify its customers and partners and release this information to them. In some cases, Fathom5 may need to physically apply the remediations to multiple, geographically distributed sites/entities. Subsequent to the initial deployment of fixes, remediations, and controls, the discovery shall be considered for public release, to include:
· A description of the vulnerability (with CVE reference and CVSS score, if available)
· Identity of known affected products and software/hardware versions
· Information on mitigating factors and workarounds
· The location of available software/firmware fixes
· With the reporting party’s consent, credit is provided for reporting and collaboration.
Fathom5 will endeavor to allow for the public disclosure of verified vulnerabilities in its technologies within 90 days of their reporting. If this timeline is not possible, Fathom5 will remain in continuous contact with the discovering party, ensuring that they remain aware of fix and mitigation timelines such that a public disclosure occurs at the earliest responsible time.
Fathom5 deeply appreciates the work of security researchers and strives to recognize and reward technical brilliance. As such, Fathom5 reserves the right to provide material and non-material recognition to those who discover and report vulnerabilities in Fathom5 products. This includes, but is not limited to, public recognition of the researcher(s) on Fathom5’s public website, Fathom5 clothing or apparel, the sponsoring of researchers to present their findings at a public cybersecurity conference, the sponsoring of researchers to present their findings to Fathom5 partners and customers, and trips to Austin, Texas, to visit Fathom5’s labs.
Fathom5 conducts internal vulnerability research efforts as well as examining critical technologies used by our partners and clients. Unless otherwise bound by a contractual obligation to the contrary, Fathom5 will aspire to disclose vulnerabilities in a responsible, coordinated manner.
When the producer of a product that Fathom5 employees discover a vulnerability in has a published (e.g., posted on their website) coordinated vulnerability disclosure process, Fathom5 will endeavor to abide by that policy in good faith.
Upon discovery of a vulnerability in a second party technology, Fathom5 will attempt to contact the maker of the vulnerable technology and provide information about the vulnerability, to include an identification of the vulnerable technology by model, serial number, and/or software/firmware version. When available, Fathom5 will offer to provide proof-of-concept code or network traces that demonstrates the viability of exploiting the discovered vulnerability.
Fathom5 will attempt to first contact a company via email. After a 48-hour period, Fathom5 will follow-up again via email. After an additional 24-hour period without a response, Fathom5 will attempt to contact the vendor by phone. If no reply is received, Fathom5 will attempt to re-contact the vendor via email every 10 business days until a response is received or 90-days has elapsed.
Fathom5 will never request payment or other rewards for such disclosures or accept funds in exchange for not publishing the details or reporting details of the vulnerability to the appropriate regulatory or government entity(-ies).
Fathom5 will remain in contact with the second party as much as necessary to enable the second party to fully understand the nature of the vulnerability and offer reasonable assistance in either evaluating proposed fixes or further discussing Fathom5 findings. Fathom5 may offer to offer to partner with the second party in the development of a fix should Fathom5 have the resources available to do so.
If the second party does not respond or does not provide information about their remediation intent, efforts, and process, Fathom5 reserves the right to publicly disclose the vulnerability via a conference presentation, white paper, video, or other public media when doing so is judged by Fathom5 to be in the public interest.
If no response has been received from the technology maker and the technology is used by Fathom5’s national security clients or critical infrastructure entities (as defined by the US Cybersecurity Infrastructure Security Agency [CISA]), after 30 days of no response Fathom5 may report its findings to the appropriate government entity.
In addition to disclosing to government entities after 30 days, absent the existence of a second party’s published vulnerability disclosure policy, Fathom5 will adhere to a 90-day public disclosure window, with the option of a 14-day extension if the vendor is coordinating with Fathom5 transparently and in good faith. This 90-day period begins when Fathom5 first attempts to privately disclose a vulnerability to a vendor, regardless of whether the vendor responds.
In cases where the vulnerable technology is located with a partner or client’s platforms or systems, Fathom5 may disclose the awareness of such vulnerabilities to their partners or clients when operating under a mutual NDA. In such cases, Fathom5 will work with its partners and clients to implement temporary controls and mitigations until the technology vendor is able to develop and release their own fix. This disclosure to our clients and partners is considered a private disclosure.