From 82a302e911b150936939000ae8e605364dec780c Mon Sep 17 00:00:00 2001 From: "Allen D. Householder" Date: Wed, 8 Nov 2023 15:47:19 -0500 Subject: [PATCH] refactor coordinator sections --- docs/howto/coordination_decisions.md | 32 +++++----------------------- docs/howto/coordination_intro.md | 23 ++++++++++++++++++++ docs/howto/coordinator_trees.md | 8 ++----- mkdocs.yml | 3 +-- 4 files changed, 31 insertions(+), 35 deletions(-) create mode 100644 docs/howto/coordination_intro.md diff --git a/docs/howto/coordination_decisions.md b/docs/howto/coordination_decisions.md index 238f5a07..7a051a61 100644 --- a/docs/howto/coordination_decisions.md +++ b/docs/howto/coordination_decisions.md @@ -1,29 +1,4 @@ - -# Decisions During Vulnerability Coordination - -Coordinators are facilitators within the vulnerability management ecosystem. -Since coordinators neither supply nor deploy the vulnerable component in question, their decisions are different from suppliers' or deployers' decisions. -This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions. - -Coordinators vary quite a lot, and their use of SSVC may likewise vary. -A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents. -Furthermore, a coordinator may only publish some of the information it uses to make decisions. -Consistent with other stakeholder perspectives (supplier and deployer), SSVC provides the priority with which a coordinator should take some defined action, but not how to do that action. -For more information about types of coordinators and their facilitation actions within vulnerability management, see [@householder2020cvd]. - -The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are the initial triage of vulnerability reports and whether a publication about a vulnerability is warranted. -The initial coordination decision is a prioritization decision, but it does not have the same values as prioritization by a deployer or supplier. -The publication decision for us is a binary yes/no. -These two decisions are not the entirety of vulnerability coordination, but we leave further details of the process for future work. - -Different coordinators have different scopes and constituencies. -See [@householder2020cvd, 3.5] for a listing of different coordinator types. -If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator. -The decisions in this section assume the report or vulnerability in question is in the work scope or constituency for the coordinator. - - - -## Coordination Triage Decisions +# Coordination Triage Decisions We take three priority levels in our decision about whether and how to coordinate a vulnerability [@householder2020cvd, 1.1] based on an incoming report: @@ -41,6 +16,9 @@ To assess this, the decision involves five new decision points. {== TODO link to specific decision points ==} + + + ## Coordination Triage Decision Process The decision tree for reaching a [Decision](#coordination-triage-decisions) involves seven decision points. @@ -53,4 +31,4 @@ In the second case, CERT/CC may encourage the reporter to contact the supplier a These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the tree shows. This tree's information is available as either a [CSV](https://github.com/CERTCC/SSVC/blob/main/data/ssvc_2_coord-triage.csv) or [PDF](https://github.com/CERTCC/SSVC/blob/main/doc/graphics/ssvc_2_coord-triage.pdf) -{== TODO merge with [Coordinator Trees](coordinator_trees.md)? ==} \ No newline at end of file +{% include-markdown './coordinator_trees.md' heading-offset=1 %} \ No newline at end of file diff --git a/docs/howto/coordination_intro.md b/docs/howto/coordination_intro.md new file mode 100644 index 00000000..2824c122 --- /dev/null +++ b/docs/howto/coordination_intro.md @@ -0,0 +1,23 @@ +# Decisions During Vulnerability Coordination + +Coordinators are facilitators within the vulnerability management ecosystem. +Since coordinators neither supply nor deploy the vulnerable component in question, their decisions are different from suppliers' or deployers' decisions. +This section provides a window into CERT/CC's decisions as an example of how a coordinator might use SSVC to make its own decisions. + +Coordinators vary quite a lot, and their use of SSVC may likewise vary. +A coordinator may want to gather and publish information about SSVC decision points that it does not use internally in order to assist its constituents. +Furthermore, a coordinator may only publish some of the information it uses to make decisions. +Consistent with other stakeholder perspectives (supplier and deployer), SSVC provides the priority with which a coordinator should take some defined action, but not how to do that action. +For more information about types of coordinators and their facilitation actions within vulnerability management, see [@householder2020cvd]. + +The two decisions that CERT/CC makes as a coordinator that we will discuss in terms of SSVC are the initial triage of vulnerability reports and whether a publication about a vulnerability is warranted. +The initial coordination decision is a prioritization decision, but it does not have the same values as prioritization by a deployer or supplier. +The publication decision for us is a binary yes/no. +These two decisions are not the entirety of vulnerability coordination, but we leave further details of the process for future work. + +Different coordinators have different scopes and constituencies. +See [@householder2020cvd, 3.5] for a listing of different coordinator types. +If a coordinator receives a report that is outside its own work scope or constituency, it should make an effort to route the report to a more suitable coordinator. +The decisions in this section assume the report or vulnerability in question is in the work scope or constituency for the coordinator. + + diff --git a/docs/howto/coordinator_trees.md b/docs/howto/coordinator_trees.md index df828084..90640a33 100644 --- a/docs/howto/coordinator_trees.md +++ b/docs/howto/coordinator_trees.md @@ -1,8 +1,4 @@ -# Coordinator Trees - -As described in [Decisions During Vulnerability Coordination](#decisions-during-vulnerability-coordination), a coordination stakeholder usually makes separate triage and publication decisions. Each have trees presented below. - -## Triage Decision Tree +# Triage Decision Tree This tree is a suggestion in that CERT/CC believes it works for us. Other coordinators should consider customizing the tree to their needs, as described in [Tree Construction and Customization Guidance](#tree-construction-and-customization-guidance). -### Table of Values +## Table of Values {{ read_csv('../../data/csvs/coord-triage-options.csv') }} diff --git a/mkdocs.yml b/mkdocs.yml index 583ef0a0..cf1bf770 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -37,10 +37,9 @@ nav: - Supplier Decision Model: 'howto/supplier_tree.md' - Deployer Decision Model: 'howto/deployer_tree.md' - Coordinator Decision Models: + - About Coordination: 'howto/coordination_intro.md' - Coordination Decision: 'howto/coordination_decisions.md' - - Coordinator Triage Tree: 'howto/coordinator_trees.md' - Publication Decision: 'howto/publication_decision.md' - - Coordinator Publication Tree: 'howto/coordinator_publish_tree.md' - Bootstrapping SSVC: - Intro: 'howto/bootstrap/index.md' - Prepare: 'howto/bootstrap/prepare.md'