Intentional or Accidental Leaks
Unfortunately, not everyone plays by the same rules.You might find information you thought was shared in confidence showing up in some non-confidential location. It might be a simple misunderstanding, mismatched expectations, or in rare cases, a malicious act.
Ways Information Can Leak
Sometimes information leaks out of the CVD process.
- Perhaps an email gets CC'ed to someone who didn't need to know.
- Somebody might talk too much at a conference.
- Somebody could post that they just found a vulnerability in a product, providing no other details.
- Somebody might intentionally disclose the information to someone not involved in the supply chain for the fix.
Questions to Ask When Information Leaks
Regardless of how it leaked, there are three major questions to ask:
- What information leaked?
- How did the information leak?
- How will you respond?
Even Partial Leaks Can Be Serious
As we note in Disclosure Timing, mere knowledge that a vulnerability exists in a certain component can sometimes be enough to enable a determined individual or organization to find it. While a partial leak of information isn't necessarily as serious as a detailed leak, it should at least trigger additional consideration of accelerating the disclosure timeline.
Vulnerability becomes public prior to vendor intended date
Role(s) affected: Vendor
Phase(s): Reporting, Validation and prioritization, Remediation
Description:
- The vendor had received the report.
- The vendor is working on it.
- Information about the vulnerability appears in public.
- At this point, the embargo is effectively moot, and the Public Awareness phase is initiated regardless of whether the preceding phases have completed.
- Vendors, Coordinators, and Reporters should always be ready to immediately terminate an embargo and go public with whatever advice is available at the time that the vulnerability becomes known.
- The Vendor should accelerate their remediation development as much as possible.
- Even a simple Vendor acknowledgement that the problem is being worked on can help deployers adjust their response accordingly.
- The CERT/CC does not recommend punitive measures be taken against perceived "leakers". Vendors are of course free to choose with whom they cooperate in the future.
- See Disclosure Timing, Leaks, and Independent Discovery