10

Via Hackernews I landed on "An Ancient Security Hole is (Not) Closed", which mentions "embargoes" on several occasions, e.g.:

...I have no interest in digging out more details or ruining embargoes that I'm not party to.

I know the generic meaning of "embargo", but am unsure of what the security-related version specifically means. Security.SE has no question on what such an embargo is. My Google-fu leads to only related articles or other types of embarboes.

Common sense tells me it's just that a target of a vulnerability would politely ask that you don't disclose them before they've fixed things. Is it just that, or is there more to it?

Jeroen
  • 859
  • 9
  • 15

1 Answers1

11

Embargo of a security issue means that the issue will not be publicly disclosed for some time by the vendor/discoverer. This is usually done to give the affected companies enough time to fix the problem and ship the fixes to the customers. If multiple parties are involved or if the needed code changes are done in public repositories, embargoes can get tricky because the chance that the issue gets early known is much higher than with a single party.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
  • Does that imply that it is usually (unless covered by an NDA or so forth) a matter of courtesy? – Jeroen Jun 21 '17 at 12:47
  • Yes, this is usually a matter of courtesy - in the interest of the security of the affected customers. – Steffen Ullrich Jun 21 '17 at 12:48
  • @Jeroen I would stress "usually" though. Jurisdictions vary and things that might seem insane to some are commonplace in the courts. In some cases it is quite possible that you might be sued or even prosecuted for disclosing (or even just finding) a vulnerability even if done for quite legitimate reasons. – DRF Jun 21 '17 at 19:05