Coordinated Vulnerability Disclosure
This CVD repository is an implementaion of CVD Guide guidance document. The CVD guidance document highlights various phases of a CVD as Discovery, Reporting, Triage, Remediation, Public Awareness followed by Deployment. There are also Roles defined in CVD that identifies several stakeholders intergral to the defined CVD process. Below is a quick overview of these phases in a tabular form.
Phases/Roles | Finder | Reporter | Vendor | Coordinator | Deployer |
---|---|---|---|---|---|
Discovery | Finds Vulnerabilities | - | - | - | - |
Reporting | Prepares Report | Reports Vulnerabilities | Receives Reports | Receives Report, Assists Reporting | - |
Triage | - | Validates and Prioritizes report for response | Prepares pacthces, Develops advisory | Validates reports receive and Priorit | - |
Remediation | - | Confirms Fix | Prepares patches, Develops advisory | Coordinates multiparty response, Develops advisory | - |
Public Awareness | Publishes report | Publishes report | Publishes report | Publishes report | Receives Report |
Deployment | - | - | - | Monitors Deployment | Deploys fixes and/or mitigations |
This repostiory attempts to build a machine that will follow CVD process providing both CVD data schemas and related CVD processing engines that will carry us through these phases. The diagram below and the related table are ongoing work in this area to create a schema and a machine that will process the schema and advance CVD through its phases.
Input | Processing-Engine | Output | Audience |
---|---|---|---|
Vendor_search | Discovery-Engine | Report_methods | Finder |
Vul_report | Reporting-Service | Vul_report | Coordinator |
Vul_report | Triage-Manager | Vul_coordinate | Finder,Coordinator,Vendor |
Vul_coordinate | Remediation-Broker | Vul_remediate | Finder,Coordinator,Vendor |
Vul_remediate | Publishing-Service | Vul_notice | All |
Vul_notice | Deployment-Tracker | Vul_metrics | All |