-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
4799e2e
commit 82a302e
Showing
4 changed files
with
31 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Decisions During Vulnerability Coordination | ||
|
||
Coordinators are facilitators within the vulnerability management ecosystem. | ||
Since coordinators neither supply nor deploy the vulnerable component in question, their decisions are different from suppliers' or deployers' decisions. | ||
This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions. | ||
|
||
Coordinators vary quite a lot, and their use of SSVC may likewise vary. | ||
A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents. | ||
Furthermore, a coordinator may only publish some of the information it uses to make decisions. | ||
Consistent with other stakeholder perspectives (supplier and deployer), SSVC provides the priority with which a coordinator should take some defined action, but not how to do that action. | ||
For more information about types of coordinators and their facilitation actions within vulnerability management, see [@householder2020cvd]. | ||
|
||
The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are the initial triage of vulnerability reports and whether a publication about a vulnerability is warranted. | ||
The initial coordination decision is a prioritization decision, but it does not have the same values as prioritization by a deployer or supplier. | ||
The publication decision for us is a binary yes/no. | ||
These two decisions are not the entirety of vulnerability coordination, but we leave further details of the process for future work. | ||
|
||
Different coordinators have different scopes and constituencies. | ||
See [@householder2020cvd, 3.5] for a listing of different coordinator types. | ||
If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator. | ||
The decisions in this section assume the report or vulnerability in question is in the work scope or constituency for the coordinator. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters