Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

ReporterValidation and TriageVendor explicitly declines to take action on a report
  1. The vendor has been given an opportunity to review the report
  2. The vendor informs the reporter of its decision not to take any further action

Assuming both conditions above have been met, the validation and triage phase has concluded, and the vendor has indicated that they will not be engaging in the remediation phase.

The reporter's implied obligation to the vendor coordination process is effectively terminated at this point. Assuming the reporter chooses to continue pursuing the issue at all, their options include:

  • The reporter may publish the report on their own.
  • The reporter may attempt to engage a coordinator
Vendor / Coordinator / Reporter



Validation and Triage


Evidence of exploitation for an embargoed report
  1. The vulnerability is still under embargo (i.e., the process has not reached the Public Awareness phase yet).
  2. Evidence indicates that the vulnerability is being used by attackers.

At this point, the embargo is effectively moot, and the Public Awareness phase is initiated regardless of whether the preceding phases have completed.

Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that evidence of exploitation becomes known.

Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly.

ReporterReportingUnable to find vendor contact
  1. The reporter has made reasonable attempts through multiple channels to reach the vendor
  2. The reporter has been unable to confirm that the vendor has received the report

  • No labels