Page History
"You go through phases. You have to reinvent reasons for playing, and one year's answer might not do for another."
-Yo-Yo Ma
...
There are a number of proposed models of the CVD process that have slightly varying phases \[1]
...
\[2]
...
\[3]
...
\[4].
...
Below,
...
we
...
adapt
...
a
...
version
...
of
...
the
...
ISO/IEC
...
30111
...
\[5]
...
process
...
with
...
more
...
phases
...
to
...
better
...
describe
...
what
...
we
...
have
...
seen
...
at
...
the
...
CERT/CC.
- Discovery – A researcher (not necessarily an academic one) discovers a vulnerability by using one of numerous tools and processes.
- Reporting – A researcher submits a vulnerability report to a software or product vendor, or a third-party coordinator if necessary.
- Validation and Triage – The analyst validates the report to ensure accuracy before action can be taken and prioritizes reports relative to others.
- Remediation – A remediation plan (ideally a software patch, but could also be other mechanisms) is developed and tested.
- Public Awareness – The vulnerability and its remediation plan is disclosed to the public.
- Deployment – The remediation is applied to deployed systems.
...
Overview
Content Tools