When a scientist makes a new discovery, they naturally want to be the first one to publish their work. But when a researcher discovers a new security vulnerability, sharing with the public before a fix is ready can benefit malicious cyber criminals, who may use this opportunity to access vulnerable systems, install malware, steal credentials, and cause further damage.

That’s why companies have collaborated with researchers, law enforcement, and other stakeholders to establish a standard protocol for reporters of vulnerabilities to publish their work without putting undue risk on users of the technology. This includes informing the responsible organization and giving them a chance to fix the vulnerability prior to public disclosure. Doing so protects the public by preventing cyber criminals from taking advantage of the discovery before a fix is available.

This practice is called “coordinated vulnerability disclosure,” or CVD. Because no single cyberattack is the same, the CVD model requires coordination between the reporter who discovers a vulnerability and the responsible manufacturer or service provider before information is publicly released. Companies may aim for 90 days as an initial target for the process, but a variety of factors can shorten or lengthen this general timeline.

This timing is important. The best possible technical solution for customers might take longer than an emergency fix forced by a premature disclosure. Coordinated disclosure means, for example, a manufacturer of a popular device is made aware of an issue and can negotiate adequate time to fix it. Fixing a security flaw consists of several stages: learning of the vulnerability, replicating the issue, understanding the root cause, creating a patch, testing it, and making it available to affected customers. That’s a lot of steps.

The reality is that in some cases, the process can go more quickly, such as when the performance of the product does not involve or impact other products or systems. In other cases, where the product is entangled within a larger ecosystem, the process can take significantly longer. It becomes especially complicated and time-consuming for situations when multiple parties or hardware are involved. Although, companies largely aim for 90 days as an initial target, when the situation is more complicated, public disclosure is likely to take longer.

That is what happened with Spectre and Meltdown, two security vulnerabilities that affected multiple chipmakers across multiple products from personal computers to gaming systems. These vulnerabilities are now the subject of a case before the U.S. District Court of Oregon, which could lead to a set deadline for public disclosure or put companies in a position to incur significant litigation risk.

Last month, CTA member Intel Corp. filed a motion for reconsideration with the U.S. District Court of Oregon. This motion has broad implications for how the consumer technology industry manages the CVD process. If the court ultimately concludes that a vulnerability must be disclosed within 90 days, it could be interpreted as creating a new legal presumption for all security vulnerabilities, regardless of circumstances.

Establishing an arbitrary deadline of 90 days for this process is clearly inappropriate for such a complicated task. Pressing companies to meet an arbitrary deadline will lead to unintended consequences, which could potentially include new security flaws and cause products to stop working.

In addition, a U.S. legal requirement for disclosure on an arbitrary fixed timeline misaligns with international practices in the global technology marketplace. For example, the European Telecommunications Standards Institute (ETSI) process “aims to resolve all valid vulnerabilities within 90 days of reporting though it may take longer for complicated fixes” (emphasis added).

CTA believes that the correct approach must be predicated on understanding the unique circumstances involved in the vulnerability and crafting an appropriate response. This is already standard practice in the industry. An arbitrary deadline of 90 days ignores the realities of a complex and evolving situation, to the detriment of consumers, enterprises, manufacturers, software developers and national security.