MON-CSIRT
MON-CSIRT
What is a CSIRT?
A Computer Security Incident Response Team (CSIRT) is an objective body with the required technical and procedural skills and resources to appropriately handle computer (cyber) security incidents.
The CSIRT is responsible for identifying and controlling cyber security incidents, notifying designated CSIRT responders, and reporting findings to management.
Who is MON-CSIRT?
Monash University Computer Security Incident Response Team (MON-CSIRT) undertakes the role of a CSIRT for Monash University, including the collaboration and sharing with external incident response teams.
Security advisories
Our security analysts practise responsible disclosure and report the vulnerabilities they discover. Below is a list that they have permission to publish. Due to security risks associated with disclosures, not all vulnerabilities are published.
| CVE | Discovery and Researcher |
|---|---|
| CVE-2020-2021 | PAN-OS: Authentication Bypass in SAML Authentication - Salman Khan and Cameron Duck |
| CVE-2021-3654 | OSSA-2021-002: Open Redirect in noVNC proxy - Swe Aung, Shahaan Ayyub, Salman Khan |
CNA (CVE Numbering Authority)
MON-CSIRT has been authorised by the Common Vulnerability and Exposures (CVE®) Program as a CVE Numbering Authority (CNA). MON-CSIRT joins a list of partners, including 400+ organisations across more than 40 countries, to further expand the community-driven CVE Program. CNAs are organisations from around the world authorised to assign CVE Identifiers (CVE IDs).
CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities discovered are assigned CVE IDs and published to the CVE List. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritise and address the vulnerabilities. The CVE Records published in the catalogue enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks.
CNAs are organisations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.
Vulnerability disclosure policy
Monash University continues to make a positive impact on today’s global challenges and believes that providing a cyber safe environment is a part of its Cyber Security strategy and contributes to the University strategic plan.
MON-CSIRT strongly believes in responsible disclosure, whereby vulnerabilities discovered are given sufficient time to be fixed, and user software updated, before publication. The scope of disclosure will include any vulnerabilities in any Monash University developed products and third-party vendor products identified by or reported to MON-CSIRT, and not already covered by another CNA on the list of partners on the CVE website. MON-CSIRT complies with all applicable laws and regulations and requires all parties involved in the vulnerability disclosure procedure to comply, including all applicable laws or regulations governing privacy or the lawful processing of data.
The following policy aligns with industry leading responsible disclosure policies such as the Google Project Zero.
In the event of a vulnerability being discovered, MON-CSIRT will undertake the following actions (except where to do so would breach any law or obligation owed to any person):
- Attempt to establish contact with the vendor of the affected software/hardware by sending appropriate notifications to various publicly facing contact channels and closed channels (if available).
- If contact has been established, MON-CSIRT will attempt to establish a secure communication channel and disclose all necessary steps to reproduce the vulnerability to the vendor.
- The vendor will be given 90 days starting from the disclosure date to fix the reported issue(s) and release the necessary patches or introduce steps for their users to protect themselves.
- Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
- In the event the vendor requests continuous delays or the vendor becomes uncontactable, MON-CSIRT may proceed with public disclosure in order to protect users of the vulnerable software/hardware.
Bug Bounty and Vulnerability Disclosure Programs
Monash University runs both a Vulnerability Disclosure Program and a Bug Bounty Program. If you are looking to report a vulnerability you can complete the Reporting Security Vulnerabilities form or via security.txt. You must comply with all applicable laws and must not compromise or disrupt any data that is not your own. If the vulnerability falls under the scope of another CNA, MON-CSIRT will coordinate with the researcher and the identified CNA for that assignment. If you have questions regarding the above policy or any matter relating to this contact us via cve-coordination@monash.edu (please note MON-CSIRT does not provide rewards for submission via email, please use the above form).
Safe Harbour
Safe Harbour will be provided to vulnerability researchers in alignment with the BugCrowd policy when submitted via the Monash University Bug Bounty Program or Vulnerability Disclosure Program (VDP). Any findings submitted outside of this will be considered for Safe Harbour on a case by case basis.