Embargo Principles
This page is normative
This page is considered a core part of the Vultron Protocol. This is a normative section of the documentation.
Embargoes are a means of inhibiting public disclosure of a vulnerability while defenses are prepared (e.g., until fix development has completed for a reasonable quorum of Vendors).
The goal of the EM process is not to establish an exact publication schedule for every Participant to adhere to. Rather,
Embargo Management Process Goal
The goal of the Embargo Management process is to establish a window spanning from the present to some future time, during which Participants are expected to not publish or otherwise disclose information about the vulnerability to non-Participants outside of the CVD case.
Hence our definition of an embargo:
Embargo Definition
An embargo is an informal agreement among peer CVD case Participants to refrain from publishing information about a vulnerability until some future point in time.
Embargoes Are a Social Agreement
An embargo is a social agreement between independent parties acting in the interest of providing vulnerability fixes to users in a timely manner while minimizing attacker advantage in the interim. However, embargoes are not always appropriate or useful within the context of any given CVD case.
With that in mind, we offer the following principles as guidance. We begin with some behavioral norms that define what it means to cooperate with an embargo.
Embargo Participants SHOULD NOT knowingly release information about an embargoed case until either
-
all proposed embargoes have been explicitly rejected
-
no proposed embargo has been explicitly accepted in a timely manner
-
the expiration date/time of an accepted embargo has passed
-
an accepted embargo has been terminated prior to the embargo expiration date and time due to other reasons (e.g., those outlined in Early Termination)
Additional Participants MAY be added to an existing embargo upon accepting the terms of that embargo.
Adding Participants to an existing embargo SHALL NOT constitute "release" or "publication" so long as those Participants accept the terms of the embargo.
See Adding Participants for more information.
Embargoes are Limited Short-Term Agreements
Given all other facts about a vulnerability report being equal, there are two factors that contribute significantly to the success or failure of an embargo: scale and duration. The more people involved in an embargo, the more likely the embargo is to fail.
Embargo participation SHOULD be limited to the smallest possible set of individuals and organizations needed to adequately address the vulnerability report.
Similarly, the longer an embargo lasts, the more likely it is to fail.
Embargo duration SHOULD be limited to the shortest duration possible to adequately address the vulnerability report.
Furthermore, we need to establish a few norms related to embargo timing.
An embargo SHALL specify an unambiguous date and time as its endpoint.
An embargo SHALL NOT be used to indefinitely delay publication of vulnerability information, whether through repeated extension or by setting a long-range endpoint.
An embargo SHALL begin at the moment it is accepted.
Embargoes SHOULD be of short duration, from a few days to a few months.
CVD Embargoes Are Not NDAs
CVD embargoes are not Non-Disclosure Agreements (NDAs). An NDA (also known as a Confidentiality agreement) is a legally binding contract between parties, often accompanied by a reward for compliance and/or some penalty in the event of unauthorized disclosure. NDAs do, on occasion, have a place in CVD processes, but the relatively rapid pace and scale of most MPCVD embargoes makes per-case NDAs prohibitively difficult. As a result, we are intentionally setting aside NDA negotiation as beyond the scope of this proposal.
On the surface, many bug bounty programs may appear to fall outside our scope because they are often structured as NDAs in which compliance is rewarded. For some bounty programs, the penalty for non-compliance or early disclosure is limited to the loss of the reward. For others, non-compliance can lead to the forfeiture of a promise of amnesty from the pursuit of civil or criminal charges that might otherwise apply because of security or acceptable-use policy violations. Nevertheless, we are optimistic that the bulk of this protocol (i.e., the parts that do not interfere with the contractual provisions of bounty-associated NDAs) will be found to be compatible with the full variety of bounty-oriented CVD programs existing now and in the future.
Embargo Participants Are Free to Engage or Disengage
As we just described, an embargo is not the same thing as an NDA, even if they have similar effects. Because it is a contract, an NDA can carry civil or even criminal penalties for breaking it. CVD embargoes have no such legal framework. Hence, CVD Participants are free to enter or exit an embargo at any time, for any reason. In fact, CVD Participants are not obliged to agree to any embargo at all. However, regardless of their choices, Participants should be clear about their status and intentions with other Participants. There are a few good reasons to exit an embargo early. (See Early Termination for more information.)
Participants MAY propose a new embargo or revision to an existing embargo at any time within the constraints outlined in Negotiating Embargoes.
Participants MAY reject proposed embargo terms for any reason.
Participants in an embargo MAY exit the embargo at any time.
Leaving an Embargo is Not Embargo Termination
Note that a Participant leaving an embargo is not necessarily the same as the embargo itself terminating. Embargo termination corresponds to the \(q^{em} \in \{A,R\} \xrightarrow{t} X\) transition in the EM model and reflects a consensus among case Participants that the embargo no longer applies. A Participant leaving an Active embargo means that the embargo agreement between other Participants remains intact, but that the leaving Participant is no longer involved in the case.
Participants stopping work on a case SHOULD notify remaining Participants of their intent to adhere to or disregard any existing embargo associated with the case.
Participants SHOULD continue to comply with any active embargoes to which they have been a part, even if they stop work on the case.
Participants who leave an Active embargo SHOULD be removed by the remaining Participants from further communication about the case.
Embargo Engagement and Adherence
We return to these concepts with the case_engagement
and embargo_adherence
attributes described in
Case Object.
These points imply a need for Participants to track the status of other Participants with respect to their adherence to the embargo and engagement with the case.
Leaving an Embargo May Have Consequences
As we note in the CVD Guide, CVD is an iterated game, and actions have consequences. Leaving an embargo early in one case may have repercussions to Participants' willingness to cooperate in later cases.
A Participant's refusal to accept embargo terms MAY result in that Participant being left out of the CVD case entirely.
Participants SHOULD consider other Participants' history of cooperation when evaluating the terms of a proposed embargo.
Embargo Termination is Not the Same as Publication
Finally, embargo termination removes a constraint rather than adding an obligation.
Participants SHOULD NOT publish information about the vulnerability when there is an active embargo.
Participants MAY publish information about the vulnerability when there is no active embargo.
Embargo termination SHALL NOT be construed as an obligation to publish.
A discussion of how to decide who to invite to participate in a CVD case is addressed in Adding Participants.