Skip to content

Commit

Permalink
refactor coordinator sections
Browse files Browse the repository at this point in the history
  • Loading branch information
ahouseholder committed Nov 8, 2023
1 parent 4799e2e commit 82a302e
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 35 deletions.
32 changes: 5 additions & 27 deletions docs/howto/coordination_decisions.md
Original file line number Diff line number Diff line change
@@ -1,29 +1,4 @@

# Decisions During Vulnerability Coordination

Coordinators are facilitators within the vulnerability management ecosystem.
Since coordinators neither supply nor deploy the vulnerable component in question, their decisions are different from suppliers' or deployers' decisions.
This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions.

Coordinators vary quite a lot, and their use of SSVC may likewise vary.
A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents.
Furthermore, a coordinator may only publish some of the information it uses to make decisions.
Consistent with other stakeholder perspectives (supplier and deployer), SSVC provides the priority with which a coordinator should take some defined action, but not how to do that action.
For more information about types of coordinators and their facilitation actions within vulnerability management, see [@householder2020cvd].

The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are the initial triage of vulnerability reports and whether a publication about a vulnerability is warranted.
The initial coordination decision is a prioritization decision, but it does not have the same values as prioritization by a deployer or supplier.
The publication decision for us is a binary yes/no.
These two decisions are not the entirety of vulnerability coordination, but we leave further details of the process for future work.

Different coordinators have different scopes and constituencies.
See [@householder2020cvd, 3.5] for a listing of different coordinator types.
If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator.
The decisions in this section assume the report or vulnerability in question is in the work scope or constituency for the coordinator.



## Coordination Triage Decisions
# Coordination Triage Decisions

We take three priority levels in our decision about whether and how to coordinate a vulnerability [@householder2020cvd, 1.1] based on an incoming report:

Expand All @@ -41,6 +16,9 @@ To assess this, the decision involves five new decision points.

{== TODO link to specific decision points ==}




## Coordination Triage Decision Process

The decision tree for reaching a [Decision](#coordination-triage-decisions) involves seven decision points.
Expand All @@ -53,4 +31,4 @@ In the second case, CERT/CC may encourage the reporter to contact the supplier a
These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the tree shows.
This tree's information is available as either a [CSV](https://github.com/CERTCC/SSVC/blob/main/data/ssvc_2_coord-triage.csv) or [PDF](https://github.com/CERTCC/SSVC/blob/main/doc/graphics/ssvc_2_coord-triage.pdf)

{== TODO merge with [Coordinator Trees](coordinator_trees.md)? ==}
{% include-markdown './coordinator_trees.md' heading-offset=1 %}
23 changes: 23 additions & 0 deletions docs/howto/coordination_intro.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Decisions During Vulnerability Coordination

Coordinators are facilitators within the vulnerability management ecosystem.
Since coordinators neither supply nor deploy the vulnerable component in question, their decisions are different from suppliers' or deployers' decisions.
This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions.

Coordinators vary quite a lot, and their use of SSVC may likewise vary.
A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents.
Furthermore, a coordinator may only publish some of the information it uses to make decisions.
Consistent with other stakeholder perspectives (supplier and deployer), SSVC provides the priority with which a coordinator should take some defined action, but not how to do that action.
For more information about types of coordinators and their facilitation actions within vulnerability management, see [@householder2020cvd].

The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are the initial triage of vulnerability reports and whether a publication about a vulnerability is warranted.
The initial coordination decision is a prioritization decision, but it does not have the same values as prioritization by a deployer or supplier.
The publication decision for us is a binary yes/no.
These two decisions are not the entirety of vulnerability coordination, but we leave further details of the process for future work.

Different coordinators have different scopes and constituencies.
See [@householder2020cvd, 3.5] for a listing of different coordinator types.
If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator.
The decisions in this section assume the report or vulnerability in question is in the work scope or constituency for the coordinator.


8 changes: 2 additions & 6 deletions docs/howto/coordinator_trees.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,4 @@
# Coordinator Trees

As described in [Decisions During Vulnerability Coordination](#decisions-during-vulnerability-coordination), a coordination stakeholder usually makes separate triage and publication decisions. Each have trees presented below.

## Triage Decision Tree
# Triage Decision Tree

<embed src="../../pdf/ssvc_2_coord-triage.pdf" alt="Coordination Triage Tree" type="application/pdf"
style="width: 100%;"
Expand All @@ -11,7 +7,7 @@ height = "700" />
This tree is a suggestion in that CERT/CC believes it works for us.
Other coordinators should consider customizing the tree to their needs, as described in [Tree Construction and Customization Guidance](#tree-construction-and-customization-guidance).

### Table of Values
## Table of Values

{{ read_csv('../../data/csvs/coord-triage-options.csv') }}

3 changes: 1 addition & 2 deletions mkdocs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,9 @@ nav:
- Supplier Decision Model: 'howto/supplier_tree.md'
- Deployer Decision Model: 'howto/deployer_tree.md'
- Coordinator Decision Models:
- About Coordination: 'howto/coordination_intro.md'
- Coordination Decision: 'howto/coordination_decisions.md'
- Coordinator Triage Tree: 'howto/coordinator_trees.md'
- Publication Decision: 'howto/publication_decision.md'
- Coordinator Publication Tree: 'howto/coordinator_publish_tree.md'
- Bootstrapping SSVC:
- Intro: 'howto/bootstrap/index.md'
- Prepare: 'howto/bootstrap/prepare.md'
Expand Down

0 comments on commit 82a302e

Please sign in to comment.