Date: Thu, 28 Mar 2024 08:24:46 -0400 (EDT) Message-ID: <538520439.473.1711628686363@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_472_1593862398.1711628686361" ------=_Part_472_1593862398.1711628686361 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Three can keep a secret, if two of them are dead.
-Benjamin Franklin
The more peo=
ple who know a secret, the more likely it is to leak. Simple probability th=
eory tells us that even if the probability of any given party leaking is ve=
ry low, the cumulative probability of a leak increases exponentially with t=
he number of parties involved [1].
Returning to our simple model, and the "Who needs to know what, when?" que=
stion, multiparty disclosure highlights the need to balance need-to-know wi=
th need-to-share. There are varying degrees of need-to-know. Not everyone n=
eeds to know the same thing at the same time. Patch originators are usually=
notified early in the process, since their answer to "What do I need to do=
in response to this knowledge?" (i.e., create a patch) is often on the cri=
tical path for any downstream parties to be able to take action. Downstream=
vendors (patch consumers) and deployers can be notified later.<=
br>
Vulnerabilities having the potential for significant impact can lead to = coordination efforts beyond the traditional product vendor space. Infrastru= cture and service providers are sometimes brought in early, if there are mi= tigations that can be deployed in advance of the availability of a fix. Thi= s can be especially helpful in cases where the vulnerability may affect the= infrastructure necessary to distribute the patch in the first place.
Be careful to consider fairness though: By what criteria should you noti= fy service provider X but not service provider Y? At some point, the comple= xity of who knows what gets high enough that the likelihood of a leak goes = to 1, and you might as well go public.
It's also important to be aware that not all participants along the chai= n of disclosure will be equally trustworthy. That's not to say they are act= ively malicious, just that they may have incompatible values or priorities = that lead them to disclose the existence of the vulnerability to others ear= lier than you'd prefer.