<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="6bd94897-71a6-4936-a58a-5b3bfea9aa21"><ac:parameter ac:name="">Phases_of_CVD_</ac:parameter></ac:structured-macro>{_}You go through phases. You have to reinvent reasons for playing, and one year's answer might not do for another._ _-Yo-Yo Ma_ There are a number of proposed models of the CVD process that have slightly varying phases \[17\] \[18\] \[45\] \[69\]. Below, we adapt a version of the ISO/IEC 30111 \[45\] process with more phases to better describe what we have seen at the CERT/CC. |
A mapping of CVD phases to CVD roles is provided in Table 2.
Table 2: Mapping CVD Roles to Phases
Roles |
Finder |
Reporter |
Vendor |
Coordinator |
Deployer |
Discovery |
Finds vulnerabilities |
|
|
|
|
Reporting |
Prepares report |
Reports vuls to vendor(s) and/or coordinators |
Receives reports |
Receives reports |
|
Validation and Triage |
|
|
Validates reports received |
Validates reports received |
|
Remediation |
|
Confirms fix |
Prepares patches |
Coordinates multiparty response |
|
Public Awareness |
Publishes report |
Publishes report |
Publishes report |
Publishes report |
Receives report |
Deployment |
|
|
|
|
Deploys fix or mitigation |
We will next discuss each of these phases in more detail.