I wrote about disclosure policy in November without addressing the most contested middle ground: NDA-mediated disclosure. A friend at a vendor approached me last month asking me to review a vulnerability under non-disclosure; the experience has clarified my thinking enough to write about.
What NDA-mediated disclosure means
A vendor approaches a researcher with knowledge of a vulnerability — typically one the vendor has discovered internally or one a customer has reported. They ask the researcher to look at it in detail, under NDA, and provide a written assessment.
The researcher gets:
- Detailed technical information about the bug.
- Access to source code, sometimes.
- Direct access to vendor engineers.
- Compensation, in some cases.
- A formal acknowledgement, eventually.
The researcher commits to:
- Not publicly disclosing the bug for some defined period.
- Not using the information for personal benefit beyond the engagement.
- Treating the source code or proprietary information as confidential.
The full-disclosure community is uncomfortable with this arrangement. The argument: NDA disclosure transfers information from the public domain to a private domain, which advantages the vendor over independent researchers and benefits attackers (who have other channels) more than defenders.
The coordinated-disclosure community is comfortable with it. The argument: NDA disclosure produces better analysis than public discussion, because the researcher has access to source code and engineering context. The vendor benefits but so does the eventual public.
What my month with the engagement taught me
Three things, written down for my own use.
The technical depth was substantially higher than public disclosure would have produced. I had access to source code, which let me confirm the bug class precisely. I had access to the engineering team, which let me discuss specific design choices. The eventual published advisory was much better than what I could have produced from external observation alone.
The vendor's process was more disciplined than I had expected. The bug was triaged quickly, the fix was tested across multiple platforms, the patch was reviewed by an independent team before release. The disciplined process is, in fairness, what I have been advocating for in my year-end posts.
The NDA period was reasonable. 60 days from my initial review to public disclosure; the patch was ready in 45 days; the public advisory followed shortly after. The window during which the vulnerability was known privately but exploitable was minimal.
Where I still have concerns
A few things are unresolved.
The asymmetry of access is real. Researchers like me, with the credibility to be invited into NDA engagements, have access to information the broader research community does not. The information flows benefit me at the cost of broader transparency. I am, in some sense, accepting a privilege at the cost of the public's right to scrutiny.
The pressure to be uncritical is structural. A researcher who consistently finds the vendor's products worse than the vendor wants to acknowledge will not be invited back. The researcher's incentive — implicit but real — is to be measured in their criticism. Whether this corrupts the analysis is, on the available evidence, a real question.
The compensation question is awkward. Some NDA engagements include compensation; mine did not. Whether this is the right model is unclear. Researchers who are not compensated for their time end up self-selecting for hobby-scale work; the field's professionalism may suffer.
What I am willing to do going forward
A short policy, for my own use:
Accept NDA engagements when:
- The vulnerability is serious enough that the analysis quality matters.
- The vendor has a track record of responsible disclosure.
- The NDA period is reasonable (90 days as a default cap).
- The eventual public disclosure includes adequate technical detail.
Decline NDA engagements when:
- The NDA terms are open-ended or restrictive on future research.
- The vendor is asking me to stay silent on related public issues.
- The compensation is large enough to compromise my judgement.
- The eventual public disclosure would be sanitised below the level the field needs.
The specific cases will be judgement calls. Writing the policy down forces me to think about the criteria explicitly.
What this implies for the broader question
The disclosure conversation, as I described in November, is not converging on a single answer. Different positions are appropriate for different situations. NDA disclosure is one valid mode, alongside coordinated disclosure and full disclosure. Each has its uses.
The meta-discipline is to be deliberate about which mode applies in each case, with explicit reasoning that can be reviewed later. The wrong choice in any specific case is not the failure mode; the failure mode is not having a choice, defaulting to whatever the immediate counterparty wants.
For my own writing: I will continue to discuss disclosure questions explicitly, including specific judgement calls. The field benefits from the conversation being public.