Sometimes information leaks out of the CVD process. Perhaps an email gets CC'ed to someone who didn't need to know. Somebody might talk too much at a conference. Somebody could tweet that they just found a vulnerability in product X, providing no other details. Somebody might intentionally disclose the information to someone not involved in the supply chain for the fix.

Unfortunately, not everyone plays by the same rules. You might find information you thought was shared in confidence showing up in some non-confidential location. It might be a simple misunderstanding, mismatched expectations, or in rare cases, a malicious act. Regardless of how it leaked, there are three major questions to ask:

  1. What information leaked?
  2. How did the information leak?
  3. How will you respond?

As we noted in Section 5.7, mere knowledge that a vulnerability exists in a certain component can sometimes be enough to enable a determined individual or organization to find it. While a partial leak of information isn't necessarily as serious as a detailed leak, it should at least trigger additional consideration of accelerating the disclosure timeline.


< 6.3 Somebody Stops Replying | 6.5 Independent Discovery >

  • No labels

CMU/SEI-2017-SR-022 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
Distribution Statement A: Approved for Public Release; Distribution is Unlimited