The following table provides advice for resolving problems in various CVD scenarios. It is organized according to the roles affected and the phases in which the problem is likely to arise. Each problem identified is accompanied by a description intended to help the reader diagnose the problem.
Role(s) affected | Phase(s) | Problem | Description | Tips |
---|---|---|---|---|
Reporter Vendor Coordinator | Discovery Reporting Validation and Triage Remediation | Evidence of exploitation for an embargoed report |
| At this point, the embargo is effectively moot, and the Public Awareness phase has been entered regardless of whether the preceding phases have completed. Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that evidence of exploitation becomes known. The Vendor should accelerate their remediation development as much as possible. Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly. |
Reporter | Reporting | Unable to engage vendor contact |
See Finding Vendor Contacts for tips on how to reach vendors. See also 6.1 Unable to Find Vendor Contact and 6.2 Unresponsive Vendor. | Assuming the reporter chooses to continue pursuing the issue at all, their options include:
|
Reporter | Reporting | Vendor has a reputation for or history of treating reporters poorly |
See 5.7 Disclosure Timing and 6.7 Relationships that Go Sideways. | Assuming the reporter chooses to continue pursuing the issue at all, their options include:
The CERT/CC recommends that Reporters do their best to provide Vendors with an opportunity to resolve vulnerabilities prior to public disclosure. However if the Vendor's prior behavior makes that infeasible it's our opinion that there is a benefit to public awareness of the vulnerability regardless. |
Reporter | Reporting Validation and Triage Remediation Public Awareness | Vendor stops responding |
See also 6.3 Somebody Stops Replying. | At this point, the CERT/CC would consider the vendor to be non-responsive. Assuming the reporter chooses to continue pursuing the issue at all, their options include:
|
Reporter | Validation and Triage | Vendor explicitly declines to take action on a report |
Assuming both conditions above have been met, the validation and triage phase has concluded, and the vendor has indicated that they will not be engaging in the remediation phase. See also 6.2 Unresponsive Vendor and 6.3 Somebody Stops Replying. | The reporter's implied obligation to the vendor coordination process is effectively terminated at this point. Assuming the reporter chooses to continue pursuing the issue at all, their options include:
|
Reporter Coordinator | Remediation | Vendor is unprepared for pending embargo expiration |
| Reporters and Coordinators should consider the Vendor's responsiveness to date when deciding how to respond. If the Vendor is cooperative and seems to have a reasonable explanation for the delay, extending the embargo may be preferable. If the Vendor has had ample time to address the problem and does not appear to be acting in good faith toward a timely resolution, Reporters may choose to publish the vulnerability information on their own without the Vendor's participation. Alternatively, Reporters may choose to engage the services of a Coordinator to try to resolve the conflict. In no case is it necessary for the Reporter or Coordinators to wait indefinitely for a Vendor that does not appear to be making progress toward timely resolution. |
Reporter Vendor | Reporting Validation and Triage Remediation Public Awareness | A CVD case involves too many vendors or is otherwise excessively complex. |
See also Vulnerability affects downstream vendors as well as 5.4 Multiparty CVD, 5.5 Response Pacing and Synchronization, and 5.6 Maintaining Pre-Disclosure Secrecy | Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc. Reporters and Vendors should consider shortening the embargo period for larger multiparty cases. The chance of embargo failure grows dramatically as more parties are added to the coordination. |
Vendor | Reporting Validation and Triage Remediation Public Awareness | Reporter stops responding |
See also 6.3 Somebody Stops Replying. | The vendor is under no obligation to continue attempting to engage with a reporter who stops responding. The vendor should continue through the Validation and Triage, Remediation, and Public Awareness phases on their own as necessary. If the report was received in the context of a bug bounty program, the vendor should apply their bug bounty policy as appropriate. |
Vendor | Reporting Validation and Triage Remediation | Vulnerability becomes public prior to vendor intended date |
| At this point, the embargo is effectively moot, and the Public Awareness phase is initiated regardless of whether the preceding phases have completed. Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that the vulnerability becomes known. The Vendor should accelerate their remediation development as much as possible. Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly. The CERT/CC does not recommend punitive measures be taken against perceived "leakers". Vendors are of course free to choose with whom they cooperate in the future. |
Vendor | Reporting | Vulnerability becomes public prior to vendor awareness of the vulnerability |
| The main defenses Vendors have against being surprised by public reports of vulnerabilities in their products are:
|
Vendor | Reporting Validation and Triage Remediation | Vendor receives second report of a vulnerability already under embargo |
See also 6.5 Independent Discovery. | Vulnerability rediscovery is known to happen. It's usually not a big deal if the Reporters are cooperating with the Vendor. Vendors should attempt to verify that the second report is in fact independent of the first, and not simply a case of the same report taking diverse paths to reach the vendor. Vendors should re-evaluate any existing embargo and consider accelerating the Remediation and Public Awareness phases in light of the apparent ease with which the vulnerability is being independently found. Vendors should ensure any relevant bug bounty policies define how this situation will be handled with respect to bounty payouts. |
Vendor | Validation and Triage Remediation | Vulnerability affects downstream vendors |
See also Vulnerability affects unknown downstream vendors and Vulnerability affects multiple vendors with incompatible disclosure policies below, as well as 5.4 Multiparty CVD, 5.5 Response Pacing and Synchronization, and 5.6 Maintaining Pre-Disclosure Secrecy | Questions of fairness arise if some affected vendors are given advance notice of a vulnerability while others are notified only when it reaches the Public Awareness phase. The goal should be to provide as much information as soon as possible to all affected vendors. Vendors should provide communication channels for their downstream vendors to coordinate vulnerability response when needed. Ideally these channels are established and maintained on an ongoing basis, because constructing them in an ad-hoc manner in the midst of a vulnerability case can be time consuming and error prone. Vendors may wish to provide an extended embargo period so that their downstream vendors have an opportunity to incorporate changes before entering the Public Awareness phase. This obviously works better in cases where the originating vendor knows who most of its downstream vendors are. (See Vulnerability affects unknown downstream vendors for additional advice when they don't.) Cases where a significant user base (in terms of size or relative importance) may be affected by the vulnerability via unknown downstream vendors' products are an argument in favor of shortened embargo periods and increased Public Awareness. Furthermore, the larger the number of involved parties, the more likely the embargo is to fail. Vendors in a supply chain may consider whether legally binding disclosure agreements are an appropriate means to limit this risk. However, it's often not feasible for all parties to be placed under such an agreement, which again argues in favor of short embargo periods. Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc. |
Reporter Vendor Coordinator | Validation and Triage Remediation | Vulnerability affects unknown downstream vendors |
| Questions of fairness arise if some affected vendors are given advance notice of a vulnerability while others are notified only when it reaches the Public Awareness phase. The goal should be to provide as much information as soon as possible to all affected vendors. Vendors should provide communication channels for their downstream vendors to coordinate vulnerability response when needed. Ideally these channels are established and maintained on an ongoing basis, because constructing them in an ad-hoc manner in the midst of a vulnerability case can be time consuming and error prone. For vulnerabilities affecting a large number of unknown downstream vendors, the Public Awareness phase plays an important part in identifying those vendors. Although publication may catch those by surprise in this case, it should also help establish the aforementioned contact channel for future cases. Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc. |
Reporter Vendor Coordinator | Reporting Validation and Triage Remediation | Vulnerability affects multiple vendors with incompatible disclosure policies |
See also Vulnerability affects downstream vendors and 5.5 Response Pacing and Synchronization | The coordinating parties (Reporter, Vendor(s), and/or Coordinator) have three options:
The third is nearly always the least optimal of the three choices. |
Vendor | Remediation | Vendor is unprepared for pending embargo expiration |
| If the Vendor is working toward a solution but needs more time to complete its analysis, development, or testing, it can request an extension of the embargo from the Reporter and/or Coordinator (if any). Vendors should recognize that (absent any binding agreement to the contrary) the embargo is a courtesy offered by the Reporter or Coordinator to the Vendor, but that Reporter or Coordinator policy or other considerations may supersede the Vendor's desire for more time. |
Vendor | Public Awareness | A vulnerability is receiving unanticipated media attention |
| Vendors and Coordinators (if any are involved) can often help their users, constituents, and the media to appropriately calibrate their concern about a vulnerability by providing a clear and accurate representation of the facts. Vendors should not attempt to squash the information already available in the public sphere however. This often backfires, leading to even more publicity. It's better to let the vulnerability be the story rather than have the Vendor's response to the vulnerability become the story. |
Reporter Vendor Coordinator | Reporting Validation and Triage Remediation Public Awareness | A CVD case just isn't going well |
See also 6.7 Relationships that Go Sideways | All parties in a failing CVD case should consider their actions in light of promoting continued cooperation. Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc. |