Skip to content

Early Termination

This page is normative

This page is considered a core part of the Vultron Protocol. This is a normative section of the documentation.

Embargoes sometimes terminate prior to the agreed date and time. This is an unavoidable, if inconvenient, fact arising from three main causes:

  1. Vulnerability discovery capability is widely distributed across the world, and not all Finders become cooperative Reporters.

  2. Even among otherwise cooperative CVD Participants, leaks sometimes happen.

  3. Adversaries are unconstrained by CVD in their vulnerability discovery, exploit code development, and use of exploit code in attacks.

Be Prepared for Embargo Termination

While many leaks are unintentional and due to miscommunication or errors in a Participant's CVD process, the effect is the same regardless of the cause. As a result,

Participants SHOULD be prepared with contingency plans in the event of early embargo termination.

Reasons to Terminate an Embargo Early

Some reasons to terminate an embargo before the agreed date include the following:

Formalism

\(q^{cs} \in \{ \cdot\cdot\cdot P \cdot\cdot, \cdot\cdot\cdot\cdot X \cdot \}\)

Embargoes SHALL terminate immediately when information about the vulnerability becomes public. Public information may include reports of the vulnerability or exploit code.

Formalism

\(q^{cs} \in \{ \cdot\cdot\cdot\cdot\cdot A \}\)

Embargoes SHOULD terminate early when there is evidence that the vulnerability is being actively exploited by adversaries.

Embargoes SHOULD terminate early when there is evidence that adversaries possess exploit code for the vulnerability.

Embargoes MAY terminate early when there is evidence that adversaries are aware of the technical details of the vulnerability.

The above is not a complete list of acceptable reasons to terminate an embargo early. Note that the distinction between the SHALL in the first item and the SHOULD in the second is derived from the reasoning given in the CS model , where we describe the CS model's transition function. Embargo termination is the set of transitions described in the EM model.

Waiting for All Vendors to Reach Fix Ready May Be Impractical

Fix Ready Definition
\[q^{cs} \in VF\cdot\cdot\cdot\cdot\]

It is not necessary for all Vendor Participants to reach Fix Ready before publication or embargo termination. Especially in larger MPCVD cases, there comes a point where the net benefit of waiting for every Vendor to be ready is outweighed by the benefit of delivering a fix to the population that can deploy it. No solid formula for this exists, but factors to consider include

  • the market share of the Vendors in Fix Ready (\(q^{cs} \in VF \cdot \cdot \cdot \cdot\)) compared to those that are not (\(q^{cs} \in \cdot f \cdot \cdot \cdot \cdot\))
  • the software supply chain for fix delivery to Deployers
  • the potential impact to critical infrastructure, public safety/health, or national security

Embargoes MAY terminate early when a quorum of Vendor Participants is prepared to release fixes for the vulnerability (\(q^{cs} \in VF\cdot\cdot\cdot\cdot\)), even if some Vendors remain unprepared (\(q^{cs} \in \cdot f \cdot\cdot\cdot\cdot\)).

Participants SHOULD consider the software supply chain for the vulnerability in question when determining an appropriate quorum for release.