A process is "a series of actions or steps taken in order to achieve a particular end" . Publishing a document is an action. Releasing a fix is an action. And while both of these are common events within the CVD process, they do not define it. Perhaps the simplest description of the CVD process is that it starts with at least one individual becoming aware of a vulnerability in a product. This discovery event immediately divides the world into two sets of people: those who know about the vulnerability, and those who don't. From that point on, those belonging to the set that knows about the vulnerability iterate on two questions:
- The CVD process continues until the answers to these questions are "nothing," and "nobody." What actions should I take in response to this knowledge?
- Who else needs to know what, and when?
The CVD process continues until the answers to these questions are "nothing," and "nobody."
Simple enough? Hardly. If it were, this document would be considerably shorter. But with this simple iterator in mind, we'll be better able to frame our discussion.