| Anchor |
|---|
| Quote_How_Soon_is_Now |
|---|
| Quote_How_Soon_is_Now |
|---|
|
When you say it's gonna happen now, When exactly do you mean? See I've already waited too long And all my hope is gone – The Smiths, "How Soon is Now?"| Anchor |
|---|
| Disclosure_Timing_1 |
|---|
| Disclosure_Timing_1 |
|---|
|
How long is "long enough" to respond to a vulnerability? Is 45 days long enough? Is 90 days too short? Is 217 days unreasonable? Three years? Talk among yourselves. We can wait.
As with so many questions that arise in the CVD process, there is no single right answer. So rather than trying to solve an underspecified set of inequalities, let's have a look at some of the factors that tend to play into timing choices. This will give us an opportunity to see where some of the variability comes from.
| Anchor |
|---|
| Conference_Schedules_and_Discl |
|---|
| Conference_Schedules_and_Discl |
|---|
|
| Anchor |
|---|
| _Toc479938937 |
|---|
| _Toc479938937 |
|---|
|
| Anchor |
|---|
| _Toc489873223 |
|---|
| _Toc489873223 |
|---|
|
Conference Schedules and Disclosure Timing| Wiki Markup |
|---|
<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="2da684a9-db85-4e25-b1f4-a5044bda064f"><ac:parameter ac:name="">Conference_Schedules_Sometimes</ac:parameter></ac:structured-macro>Conference schedules often drive researcher timelines. This is a big one. There is a rhythmic cycle to the vulnerability disclosure calendar. Black Hat \[101\] and DEF CON \[102\] happen in early August every year. Usenix Security \[103\] is usually right after that. The RSA Conference \[104\] is in the late winter or early spring. CanSecWest \[105\] is in the spring. Smaller conferences are scattered in between. Many of these conferences rely on presenters describing novel attack methods in varying degrees of detail. However, in order for researchers to analyze, develop, and demonstrate those techniques, vulnerabilities are often uncovered in extant products. That means that coordinating the disclosure of the vulnerabilities they've found is a common part of the conference preparation process for presenters. The CERT/CC often observes an increased rate of vulnerability reports a few months in advance of these conferences. Vendors would do well to be aware of these schedules and be prepared to respond quickly and appropriately to seemingly inflexible deadlines for disclosure. |
| Anchor |
|---|
| Vendor_Reputation_and_Willinge |
|---|
| Vendor_Reputation_and_Willinge |
|---|
|
| Anchor |
|---|
| _Toc479938938 |
|---|
| _Toc479938938 |
|---|
|
| Anchor |
|---|
| _Toc489873224 |
|---|
| _Toc489873224 |
|---|
|
Vendor Reputation and Willingness to Cooperate| Anchor |
|---|
| Vendor_Reputation_Influences_W |
|---|
| Vendor_Reputation_Influences_W |
|---|
|
Vendors that are perceived to treat vulnerability reporters poorly or that are perceived to be slow or unresponsive may find themselves being left to discover reports of vulnerabilities in their products at the same time as the public becomes aware of them. CVD is a social process, remember? And the game is played over and over, by players who share knowledge between rounds.
| Anchor |
|---|
| Declarative_Disclosure_Policie |
|---|
| Declarative_Disclosure_Policie |
|---|
|
| Anchor |
|---|
| _Toc479938939 |
|---|
| _Toc479938939 |
|---|
|
| Anchor |
|---|
| _Toc489873225 |
|---|
| _Toc489873225 |
|---|
|
Declarative Disclosure Policies Reduce UncertaintyAvoiding surprise was one of the principles in Section 2. To that end, explicitly declared policies (from both researchers and vendors) are a good thing. Expected disclosure timing is an important question to ask whenever a report is received. Sometimes the reporter or coordinator acting on the reporter's behalf has a standing policy of X days with no exceptions. Other reporters may be more flexible. If in doubt, ask.
| Anchor |
|---|
| Diverting_from_the_Plan |
|---|
| Diverting_from_the_Plan |
|---|
|
| Anchor |
|---|
| _Toc479938940 |
|---|
| _Toc479938940 |
|---|
|
| Anchor |
|---|
| _Toc489873226 |
|---|
| _Toc489873226 |
|---|
|
Diverting from the Plan| Anchor |
|---|
| Je_nai_jamais_eu_un_plan_doper |
|---|
| Je_nai_jamais_eu_un_plan_doper |
|---|
|
Je n'ai jamais eu un plan d'opérations....
In cases that divert from the planned disclosure date, it sometimes helps to seek the opinion of a neutral third party for advice on how to proceed. Finders, reporters, and vendors can each have valid yet conflicting perspectives on what the best course of action might be. Coordinator organizations are often able to help resolve conflicts by taking a neutral approach to the situation and advising one or more parties in light of their prior experience.
| Anchor |
|---|
| Releasing_Partial_Information_ |
|---|
| Releasing_Partial_Information_ |
|---|
|
| Anchor |
|---|
| _Toc479938941 |
|---|
| _Toc479938941 |
|---|
|
| Anchor |
|---|
| _Toc489873227 |
|---|
| _Toc489873227 |
|---|
|
Releasing Partial Information Can Help Adversaries| Anchor |
|---|
| Releasing_Partial_Information_-1 |
|---|
| Releasing_Partial_Information_-1 |
|---|
|
When considering what information to release about a vulnerability, our advice is "Don't tease." Our experience shows that the mere knowledge of a vulnerability's existence in a feature of some product is sufficient for a skillful person to discover it for themselves. Rumor of a vulnerability draws attention from knowledgeable people with vulnerability finding skills—and there's no guarantee that all those people will have users' best interests in mind. Thus, teasing the existence of a vulnerability in a product can sometimes provide an adversarial advantage that increases risk to end users.
