What people say, what people do, and what they say they do are entirely different things.
– Margaret Mead
Certain roles are critical to the Coordinated Vulnerability Disclosure process, as described below:
Although a more detailed description of the CVD process is provided in Section 4, a simple sketch of the relationships between these roles is shown in Figure 1.
Figure 1: CVD Role Relationships
It is possible and often the case that individuals and organizations play multiple roles. For example, a cloud service provider might act as both vendor and deployer, while a researcher might act as both finder and reporter. A vendor may also be both a deployer and a coordinator. In fact, the CERT/CC has played all five roles over time, although not usually simultaneously.