Active Exploitation
If evidence comes to light that a vulnerability is being exploited in the wild, that is usually a strong indication to accelerate the disclosure timeline.
Active Exploitation Should Accelerate Disclosure
Active exploitation is indicative of either independent discovery or an information leak from the CVD process (whether intentional or accidental), with the added concern that not only does an adversary know about the vulnerability but is already using it.
Hence, in the case of known exploitation, it's usually best to consider disclosing what is known about the vulnerability—hopefully with some mitigation instructions—as soon as possible even if a patch is not yet available. From the vendor's standpoint, acknowledging that you're already aware of the vulnerability and are working on a fix can help restore users' confidence in your product and the process that produced it.
Evidence of exploitation for an embargoed report
Role(s) affected: Reporter
Phase(s): Reporting, Validation and prioritization, Remediation
Description:
- The vulnerability is still under embargo (i.e., the process has not reached the Public Awareness phase yet).
- Evidence indicates that the vulnerability is being used by attackers.
- At this point, the embargo is effectively moot, and the Public Awareness phase has been entered regardless of whether the preceding phases have completed.
- Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that evidence of exploitation becomes known.
- The Vendor should accelerate their remediation development as much as possible.
- Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly.
- See Active Exploitation for more information on this topic.