What people say, what people do, and what they say they do are entirely different things.
– Margaret Mead

Certain roles are critical to the Coordinated Vulnerability Disclosure process, as described below:

  • Finder (Discoverer) – the individual or organization that identifies the vulnerability
  • Reporter – the individual or organization that notifies the vendor of the vulnerability
  • Vendor – the individual or organization that created or maintains the product that is vulnerable
  • Deployer – the individual or organization that must deploy a patch or take other remediation action
  • Coordinator – an individual or organization that facilitates the coordinated response process

Although a more detailed description of the CVD process is provided in Section 4, a simple sketch of the relationships between these roles is shown in Figure 1.

Figure 1: CVD Role Relationships

It is possible and often the case that individuals and organizations play multiple roles. For example, a cloud service provider might act as both vendor and deployer, while a researcher might act as both finder and reporter. A vendor may also be both a deployer and a coordinator. In fact, the CERT/CC has played all five roles over time, although not usually simultaneously.

  • No labels