Page History

...

Occasionally vendors and reporters have difficulty arriving at a mutually acceptable response to the existence of a vulnerability.

Disputes can arise for many reasons, including the following:

• whether Whether the behavior described in the report is reproducible
• whether Whether the behavior described in the report has security implications
• the The impact of the vulnerability to deployed systems
• whether Whether to publicly disclose the vulnerability
• how How much detail to include in a public disclosure
• the The timing of public disclosure
• whether Whether extensions should be made to deadlines set by one party or another, whether or not they have been mutually agreed to previously
  
  

In these situations, and many others, reporters and/or vendors may find it useful to engage the services of a third-party coordinator to assist with conflict resolution. Drawing on the experience and relative neutrality of a third-party coordinator can often dissipate some of the potential animosity that can arise in contentious cases.

...

In situations where a vulnerability has the potential for major impact to critical infrastructure, it may be necessary to coordinate not only with vendors to fix the vulnerable products, but also with major deployers. The primary concern in these cases is to ensure that internet and other critical infrastructure remains available so that deployers and other network defenders can acquire and deploy the necessary information and patches.

Luckily this scenario is rare, but we have seen it come up in cases affecting internet routing, the Domain Name System (DNS), internet protocols, and the like. Vulnerabilities that affect basic Internet services such as DNS (which also serves as an example of a horizontal supply chain) affect a massive number of vendors; a coordinator can help contact and disseminate information to vendors, service providers, and other critical organizations for quick remediation.

...