Skip to content

Coordinating Vulnerability Disclosure

Participating in a CVD process can be challenging. This section provides some advice on how to handle common issues that might arise during the coordination process.

  • Reasons to Engage a Coordinator

    Reporter experience, capacity, and the number or nature of vendors involved can all play a role in determining whether a coordinator is needed. In addition, disputes between reporters and vendors, or the potential for major infrastructure impacts, can also necessitate the involvement of a coordinator.

  • Validation

    Not all reports are actionable. Some reports may under-specify the problem, making it difficult or impossible to reproduce. Some may contain irrelevant details. Some will be well written and concise, but many will not. Some reports could describe problems that are already known or for which a fix is already in the pipeline.

  • Prioritization

    Even for the reports a vendor accepts as valid (in scope, credible, and valid), it is likely that the development team does not have time to address every report at the moment it arrives. Thus, if a report is found to be valid, the next question is how to allocate resources to the report.

  • Multiparty CVD

    Many products today are not developed by a single organization. Instead, they are assembled from components sourced from other organizations. Vulnerabilities in these components can have far-reaching impacts and require coordination among multiple parties to resolve.

  • Response Pacing and Synchronization

    Problems can arise when the multiple parties involved in CVD function at different operational tempos. Different organizations have different priorities and development schedules, which can lead to some parties wanting to move faster than others.

  • Somebody Stops Replying

    Sometimes one of the parties involved in a CVD effort will stop responding. Often, this is simply a reflection of priorities and attention shifting elsewhere rather than intentional behavior. It's usually best to give the benefit of the doubt and keep trying to reestablish contact if one of the CVD participants goes unresponsive.

Embargoes in Coordinated Vulnerability Disclosure

Embargoes are a common tool in the CVD process, but they can be tricky to manage. This section provides some advice on how to handle embargoes effectively, even when things don't go as planned.

  • Maintaining Pre-Disclosure Secrecy

    The more parties involved in a case, and the longer the embargo period lasts, the more likely a leak becomes.

  • Disclosure Timing

    Complicated vulnerabilities usually take longer to fix. Larger cases involving more parties, more products, or more complex supply chains also tend to take longer to resolve, even if the vulnerabilities themselves are relatively simple.

  • Independent Discovery

    If one person can find a vulnerability, somebody else can, too. When multiple parties independently discover the same vulnerability, it can complicate the CVD process.

  • Intentional or Accidental Leaks

    You might find information you thought was shared in confidence showing up in some non-confidential location. It might be a simple misunderstanding, mismatched expectations, or in rare cases, a malicious act.

  • Active Exploitation

    If evidence comes to light that a vulnerability is being exploited in the wild, that is usually a strong indication to accelerate the disclosure timeline.

Complications in Coordinated Vulnerability Disclosure

Other complications can arise during the CVD process. This section provides some advice on how to handle these issues effectively. A summary of the advice in this section, along with a number of other scenarios can be found in Troubleshooting CVD.

  • Relationships that Go Sideways

    When relationships go sideways in a CVD process, it can be a real problem. The process can stall, or worse, the vulnerability can be disclosed in a way that is harmful to users.

  • Hype, Marketing, and Unwanted Attention

    Is a branded vulnerability more dangerous than one without? Not in any technical sense, no. Instead, what it does is draw additional attention—which can lead to vendors being forced to adjust the priority of the vulnerability cases they're working on and allocate resources toward addressing whatever vulnerability is getting the hype.

  • Troubleshooting Coordinated Vulnerability Disclosure

    We have compiled a list of common problems that can arise during the Coordinated Vulnerability Disclosure (CVD) process. Each problem identified is accompanied by a description intended to help the reader diagnose the problem.

  • What To Do When Things Go Wrong

    While we can't tell you what to do in every possible combination of contingencies that may arise in the CVD process, we can suggest a few guidelines to help you navigate the complexity.