Advisory Embargo

An advisory embargo is a mutually agreed period of confidentiality during which vulnerability details, proof-of-concept code, and related information are shared only among the affected manufacturer, the reporting researcher, and any CVD coordinators involved in the disclosure. The embargo period gives the manufacturer time to develop, test, and release a patch before the vulnerability becomes public knowledge. It is typically established at the point of report acknowledgement and runs until a coordinated release date — the point at which both the manufacturer's advisory and the researcher's public disclosure are released simultaneously. Embargoes are central to the coordinated vulnerability disclosure model and underpin the trust relationship between the security research community and manufacturers.

The length of an embargo period should be established based on estimated remediation complexity. Common frameworks:

• Standard: 90 days from confirmed receipt of a reproducible report.
• Accelerated: 30–45 days for critical vulnerabilities or when the manufacturer confirms rapid remediation is feasible.
• Extended: Beyond 90 days by mutual agreement for systemic vulnerabilities requiring architectural changes or multi-vendor coordination.

• Set the release date collaboratively with the researcher, not unilaterally.
• Provide regular status updates to the researcher throughout the embargo period.
• Agree on a specific release date and time (including timezone) to avoid ambiguity.
• If the release date must change, renegotiate with the researcher promptly — silent extensions erode trust and often lead to unilateral disclosure.

Several circumstances legitimise shortening or breaking an embargo:

• Active exploitation: If evidence emerges that the embargoed vulnerability is being actively exploited in the wild before the release date, the embargo should be broken immediately. Keeping a vulnerability secret that is already being weaponised harms users. The CRA's 24-hour ENISA notification obligation applies upon confirmed active exploitation regardless of any existing embargo.
• Independent discovery: If a third party independently discovers and discloses the same vulnerability, the embargo is effectively broken. The manufacturer should accelerate advisory release.
• Researcher emergency disclosure: Researchers may break an embargo if they have compelling evidence the manufacturer is acting in bad faith (e.g., using the embargo to suppress disclosure while not developing a fix). This is rare and typically done with coordinator involvement.
• Deadline expiry: If the agreed deadline is reached without mutual extension, the researcher is entitled to publish.

When a vulnerability affects components used across multiple manufacturers' products, the embargo involves multiple parties simultaneously, significantly increasing complexity. Multi-party embargoes require:

• A coordinating CSIRT or organisation (CERT/CC, NCSC-NL, or ENISA) to manage communications.
• A shared, secure channel for coordinating parties — PGP-encrypted email lists or secure collaboration platforms.
• A single coordinated release date agreed among all affected parties.
• Contingency planning for scenarios where some parties cannot be ready by the agreed date.

Manufacturers should have a defined process for participating in multi-party embargoes, including a named individual authorised to commit to an embargo timeline and a fast-track development and review process for patch development under embargo constraints.