Role(s) | Phase(s) | Problem | Description | Tips |
---|---|---|---|---|
Reporter | Validation and Triage | Vendor explicitly declines to take action on a report |
Assuming both conditions above have been met, the validation and triage phase has concluded, and the vendor has indicated that they will not be engaging in the remediation phase. | The reporter's implied obligation to the vendor coordination process is effectively terminated at this point. Assuming the reporter chooses to continue pursuing the issue at all, their options include:
|
Vendor / Coordinator / Reporter | Discovery Reporting Validation and Triage Remediation | Evidence of exploitation for an embargoed report |
| At this point, the embargo is effectively moot, and the Public Awareness phase is initiated regardless of whether the preceding phases have completed. Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that evidence of exploitation becomes known. The Vendor should accelerate their remediation development as much as possible. Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly. |
Reporter | Reporting | Unable to engage vendor contact |
See Finding Vendor Contacts for tips on how to reach vendors. See also 6.1 Unable to Find Vendor Contact and 6.2 Unresponsive Vendor. | Assuming the reporter chooses to continue pursuing the issue at all, their options include:
|
Reporter | Reporting Validation and Triage Remediation Public Awareness | Vendor stops responding |
See also 6.3 Somebody Stops Replying. | At this point, the CERT/CC would consider the vendor to be non-responsive. Assuming the reporter chooses to continue pursuing the issue at all, their options include:
|
Vendor | Reporting Validation and Triage Remediation Public Awareness | Reporter stops responding |
See also 6.3 Somebody Stops Replying. | The vendor is under no obligation to continue attempting to engage with a reporter who stops responding. The vendor should continue through the Validation and Triage, Remediation, and Public Awareness phases on their own as necessary. If the report was received in the context of a bug bounty program, the vendor should apply their bug bounty policy as appropriate. |
Vendor | Reporting Validation and Triage Remediation | Vulnerability becomes public prior to vendor intended date |
| At this point, the embargo is effectively moot, and the Public Awareness phase is initiated regardless of whether the preceding phases have completed. Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that the vulnerability becomes known. The Vendor should accelerate their remediation development as much as possible. Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly. The CERT/CC does not recommend punitive measures be taken against perceived "leakers". Vendors are of course free to choose with whom they cooperate in the future. |
Vendor | Reporting | Vulnerability becomes public prior to vendor awareness |
| The main defenses Vendors have against being surprised by public reports of vulnerabilities in their products are:
|