<ac:structured-macro ac:name="anchor" ac:schema-version="1" ac:macro-id="6bd94897-71a6-4936-a58a-5b3bfea9aa21"><ac:parameter ac:name="">Phases_of_CVD_</ac:parameter></ac:structured-macro>{_}You go through phases. You have to reinvent reasons for playing, and one year's answer might not do for another._
_-Yo-Yo Ma_
There are a number of proposed models of the CVD process that have slightly varying phases \[17\] \[18\] \[45\] \[69\]. Below, we adapt a version of the ISO/IEC 30111 \[45\] process with more phases to better describe what we have seen at the CERT/CC.

• Discovery – A researcher (not necessarily an academic one) discovers a vulnerability by using one of numerous tools and processes.
• Reporting – A researcher submits a vulnerability report to a software or product vendor, or a third-party coordinator if necessary.
• Validation and Triage – The analyst validates the report to ensure accuracy before action can be taken and prioritizes reports relative to others.
• Remediation – A remediation plan (ideally a software patch, but could also be other mechanisms) is developed and tested.
• Public Awareness – The vulnerability and its remediation plan is disclosed to the public.
• Deployment – The remediation is applied to deployed systems.

A mapping of CVD phases to CVD roles is provided in Table 2.
Table 2: Mapping CVD Roles to Phases

We will next discuss each of these phases in more detail.