Versions Compared

Old Version 6

changes.mady.by.user user-f8986

Saved on

compared with

New Version 7

changes.mady.by.user user-f8986

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are a number of proposed models of the CVD process that have slightly varying phases \ [1] \[2] \[3] \[,2,3,4].

Below, we adapt a version of the ISO/IEC 30111 \ [5] process with more phases to better describe what we have seen at the CERT/CC.:

  • Discovery – A researcher (not necessarily an academic one) discovers a vulnerability by using one of numerous tools and processes.
  • Reporting – A researcher submits a vulnerability report to a software or product vendor, or a third-party coordinator if necessary.
  • Validation and Triage – The analyst validates the report to ensure accuracy before action can be taken and prioritizes reports relative to others.
  • Remediation – A remediation plan (ideally a software patch, but could also be other mechanisms) is developed and tested.
  • Public Awareness – The vulnerability and its remediation plan is disclosed to the public.
  • Deployment – The remediation is applied to deployed systems.

...