Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Next »

The following table provides advice for resolving problems in various CVD scenarios. It is organized according to the roles affected and the phases in which the problem is likely to arise. Each problem identified is accompanied by a description intended to help the reader diagnose the problem.

Role(s) affectedPhase(s)ProblemDescriptionTips

Reporter

Vendor

Coordinator


Discovery

Reporting

Validation and Triage

Remediation

Evidence of exploitation for an embargoed report
  1. The vulnerability is still under embargo (i.e., the process has not reached the Public Awareness phase yet).
  2. Evidence indicates that the vulnerability is being used by attackers.

See 6.6 Active Exploitation

At this point, the embargo is effectively moot, and the Public Awareness phase is initiated regardless of whether the preceding phases have completed.

Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that evidence of exploitation becomes known.

The Vendor should accelerate their remediation development as much as possible.

Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly.

ReporterReportingUnable to engage vendor contact
  1. The reporter has made reasonable attempts through multiple channels to reach the vendor
  2. The reporter has been unable to confirm that the vendor has received the report

See Finding Vendor Contacts for tips on how to reach vendors. See also 6.1 Unable to Find Vendor Contact and 6.2 Unresponsive Vendor.

Assuming the reporter chooses to continue pursuing the issue at all, their options include:

  • The reporter may publish the report on their own. Hard-to-reach vendors often become less so after a vulnerability or two is made public without their involvement.
  • The reporter may attempt to engage a coordinator, to continue trying to reach the vendor
ReporterReportingVendor has a reputation for or history of treating reporters poorly
  1. The reporter wishes to report a vulnerability to the vendor
  2. The vendor has a history of treating reporters poorly (retaliation, threatened litigation, etc.)

See 5.7 Disclosure Timing and 6.7 Relationships that Go Sideways.

Assuming the reporter chooses to continue pursuing the issue at all, their options include:

  • The Reporter may publish the report on their own, possibly anonymously.
  • The Reporter may attempt to engage a Coordinator to act as a neutral third party
  • The Reporter may attempt to engage a Coordinator to act as an anonymizing proxy to relay the information to the Vendor
  • The Reporter may take steps to report the vulnerability to the Vendor anonymously.

The CERT/CC recommends that Reporters do their best to provide Vendors with an opportunity to resolve vulnerabilities prior to public disclosure. However if the Vendor's prior behavior makes that infeasible it's our opinion that there is a benefit to public awareness of the vulnerability regardless.

Reporter

Reporting

Validation and Triage

Remediation

Public Awareness

Vendor stops responding
  1. The reporter and vendor had already been in contact about the vulnerability.
  2. The reporter has repeatedly attempted to communicate with the vendor.
  3. The vendor has been non-responsive for at least two weeks
  4. Either of the following events has occurred:
    1. An already-agreed embargo date has passed, or
    2. No embargo date was set and at least six weeks have elapsed since the vendor's last response.

See also 6.3 Somebody Stops Replying.

At this point, the CERT/CC would consider the vendor to be non-responsive.

Assuming the reporter chooses to continue pursuing the issue at all, their options include:

  • The reporter may publish the report on their own. If so, the reporter should provide a courtesy copy of the report to the vendor with a few days' lead time to give the vendor one last chance to prepare for entering the Public Awareness phase.
  • The reporter may attempt to engage a coordinator


ReporterValidation and TriageVendor explicitly declines to take action on a report
  1. The vendor has been given an opportunity to review the report
  2. The vendor informs the reporter of its decision not to take any further action

Assuming both conditions above have been met, the validation and triage phase has concluded, and the vendor has indicated that they will not be engaging in the remediation phase.

The reporter's implied obligation to the vendor coordination process is effectively terminated at this point. Assuming the reporter chooses to continue pursuing the issue at all, their options include:

  • The reporter may publish the report on their own.
  • The reporter may attempt to engage a coordinator

Reporter

Coordinator

RemediationVendor is unprepared for pending embargo expiration
  1. The Vendor is aware of the vulnerability.
  2. The embargo date is approaching.
  3. The Vendor communicates that it is not ready yet.

See 5.7 Disclosure Timing

Reporters and Coordinators should consider the Vendor's responsiveness to date when deciding how to respond.

If the Vendor is cooperative and seems to have a reasonable explanation for the delay, extending the embargo may be preferable.

If the Vendor has had ample time to address the problem and does not appear to be acting in good faith toward a timely resolution, Reporters may choose to publish the vulnerability information on their own without the Vendor's participation. Alternatively, Reporters may choose to engage the services of a Coordinator to try to resolve the conflict.

In no case is it necessary for the Reporter or Coordinators to wait indefinitely for a Vendor that does not appear to be making progress toward timely resolution.

Reporter

Vendor

Coordinator

Reporting

Validation and Triage

Remediation

Public Awareness

A CVD case just isn't going well
  1. Cooperation has failed or is in the process of failing within the context of a particular CVD case.

See also 6.7 Relationships that Go Sideways

All parties in a failing CVD case should consider their actions in light of promoting continued cooperation.

Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc.

Reporter

Vendor

Coordinator

Reporting

Validation and Triage

Remediation

Vulnerability affects multiple vendors with incompatible disclosure policies
  1. Multiple vendors are likely to be affected by the vulnerability.
  2. At least one of those vendors has a policy or practice of disclosing vulnerabilities more quickly than others.
  3. That vendor is unwilling to adjust their behavior to accommodate slower vendors.

See 5.5 Response Pacing and Synchronization

The coordinating parties (Reporter, Vendor(s), and/or Coordinator) have three options:

  • Shorten their embargo to accommodate the fast-moving vendor
  • Delay notifying the the fast-moving vendor until the other vendors are close enough that they'll be ready for the Public Awareness phase at the same time as the fast-moving vendor
  • Avoid notifying the fast-moving vendor during the embargo period, letting them catch up once the vulnerability enters the Public Awareness phase.

The third is nearly always the least optimal of the three choices.

Reporter

Vendor

Reporting

Validation and Triage

Remediation

Public Awareness

A CVD case involves too many vendors or is otherwise excessively complex.
  1. Multiple vendors are likely to be affected by the vulnerability.
  2. The reporter or Vendor(s) already involved are concerned about their ability to notify and coordinate other Vendors' response to the vulnerability.

See 5.4 Multiparty CVD, 5.5 Response Pacing and Synchronization, and 5.6 Maintaining Pre-Disclosure Secrecy

Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc.

Reporters and Vendors should consider shortening the embargo period for larger multiparty cases. The chance of embargo failure grows dramatically as more parties are added to the coordination.

Vendor

Reporting

Validation and Triage

Remediation

Public Awareness

Reporter stops responding
  1. The reporter and vendor had already been in contact about the vulnerability.
  2. The vendor has repeatedly attempted to communicate with the reporter.
  3. The reporter has not responded to the vendor.


See also 6.3 Somebody Stops Replying.

The vendor is under no obligation to continue attempting to engage with a reporter who stops responding.

The vendor should continue through the Validation and Triage, Remediation, and Public Awareness phases on their own as necessary.

If the report was received in the context of a bug bounty program, the vendor should apply their bug bounty policy as appropriate.

Vendor

Reporting

Validation and Triage

Remediation

Vulnerability becomes public prior to vendor intended date
  1. The vendor had received the report.
  2. The vendor is working on it.
  3. Information about the vulnerability appears in public.

See 6.4 Intentional or Accidental Leaks

At this point, the embargo is effectively moot, and the Public Awareness phase is initiated regardless of whether the preceding phases have completed.

Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that the vulnerability becomes known.

The Vendor should accelerate their remediation development as much as possible.

Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly.

The CERT/CC does not recommend punitive measures be taken against perceived "leakers". Vendors are of course free to choose with whom they cooperate in the future.

VendorReportingVulnerability becomes public prior to vendor awareness of the vulnerability
  1. The vendor was unaware of the vulnerability at the time it became public.

See also 6.4 Intentional or Accidental Leaks and 6.5 Independent Discovery.

The main defenses Vendors have against being surprised by public reports of vulnerabilities in their products are:

  • Vendors should have a mechanism for receiving vulnerability reports and a process for resolving them
  • Vendors should strive to maintain a reputation for cooperating with Finders and Reporters
  • Vendors should design, evaluate, and test their own products as extensively as they are able to.
Vendor

Reporting

Validation and Triage

Remediation

Vendor receives second report of a vulnerability already under embargo
  1. The vendor had received a report of a vulnerability
  2. The vendor received a second, seemingly independent, report of the same vulnerability

See also 6.5 Independent Discovery.

Vulnerability rediscovery is known to happen. It's usually not a big deal if the Reporters are cooperating with the Vendor.

Vendors should attempt to verify that the second report is in fact independent of the first, and not simply a case of the same report taking diverse paths to reach the vendor.

Vendors should re-evaluate any existing embargo and consider accelerating the Remediation and Public Awareness phases in light of the apparent ease with which the vulnerability is being independently found.

Vendors should ensure any relevant bug bounty policies define how this situation will be handled with respect to bounty payouts.

Vendor

Validation and Triage

Remediation

Vulnerability affects downstream vendors
  1. Multiple vendors are likely to be affected by the vulnerability.
  2. Many of these vendors are dependent on the originating vendor providing a fix before they can take action.
  3. The originating vendor may or may not know exactly who those downstream vendors are or how to reach them.

See 5.4 Multiparty CVD, 5.5 Response Pacing and Synchronization, and 5.6 Maintaining Pre-Disclosure Secrecy

Vendors should provide communication channels for their downstream vendors to coordinate vulnerability response when needed.

Vendors may wish to provide an extended embargo period so that their downstream vendors have an opportunity to incorporate changes before entering the Public Awareness phase. This obviously works better in cases where the originating vendor knows who most of its downstream vendors are.

However, the larger the number of involved parties, the more likely the embargo is to fail. Vendors in a supply chain may consider whether legally binding disclosure agreements are an appropriate means to limit this risk.

Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc.

VendorRemediationVendor is unprepared for pending embargo expiration
  1. The Vendor is aware of the vulnerability.
  2. The embargo date is approaching.
  3. The Vendor is not ready yet.

See 5.7 Disclosure Timing

If the Vendor is working toward a solution but needs more time to complete its analysis, development, or testing, it can request an extension of the embargo from the Reporter and/or Coordinator (if any).

Vendors should recognize that (absent any binding agreement to the contrary) the embargo is a courtesy offered by the Reporter or Coordinator to the Vendor, but that Reporter or Coordinator policy or other considerations may supersede the Vendor's desire for more time.

VendorPublic AwarenessA vulnerability is receiving unanticipated media attention
  1. The vendor is aware of the vulnerability, and may have already released a fix.
  2. There is considerable media attention drawn to the vulnerability.
    1. Sometimes this is triggered by savvy marketing on the part of the Finder or Reporter
    2. Other times this attention comes about because of recent similar media stories.
    3. Often the media attention is disproportionate to the severity of the vulnerability.

See also 6.8 Hype, Marketing, and Unwanted Attention

Vendors and Coordinators (if any are involved) can often help their users, constituents, and the media to appropriately calibrate their concern about a vulnerability by providing a clear and accurate representation of the facts.

Vendors should not attempt to squash the information already available in the public sphere however. This often backfires, leading to even more publicity. It's better to let the vulnerability be the story rather than have the Vendor's response to the vulnerability become the story.

  • No labels