If evidence comes to light that a vulnerability is being exploited in the wild, that is usually a strong indication to accelerate the disclosure timeline. Active exploitation is indicative of either independent discovery or an information leak from the CVD process (whether intentional or accidental), with the added concern that not only does an adversary know about the vulnerability but is already using it. Hence, in the case of known exploitation, it's usually best to consider disclosing what is known about the vulnerability—hopefully with some mitigation instructions—as soon as possible even if a patch is not yet available. From the vendor's standpoint, acknowledging that you're already aware of the vulnerability and are working on a fix can help restore users' confidence in your product and the process that produced it.
Overview
Content Tools
CMU/SEI-2017-SR-022
| SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
Distribution Statement A: Approved for Public Release; Distribution is Unlimited