Relationships that Go Sideways

CVD is a human coordination process, and humans are complicated. They have feelings, and those feelings can get hurt. People get frustrated, angry, and sometimes just have bad days. And sometimes, they just don't get along.

When relationships go sideways in a CVD process, it can be a real problem. The process can stall, or worse, the vulnerability can be disclosed in a way that is harmful to users.

The Human Element

The first thing to do when things appear to be going awry in a CVD case is to give people some slack to make mistakes.

Transparency, Consistency, and Simplicity

The more transparent your process is—and the closer it is to what other folks are doing—the better you will be able to avoid problems.

Transparency is a key element of a successful CVD process. Good documentation is a start, but documenting a byzantine process isn't as useful as simplifying the process and then documenting that!

A CVD case just isn't going well

Role(s) affected: Reporter, Vendor, Coordinator

Phase(s): Reporting, Validation and prioritization, Remediation, Public Awareness

Description:

1. Cooperation has failed or is in the process of failing within the context of a particular CVD case.

• All parties in a failing CVD case should consider their actions in light of promoting continued cooperation.
• Reporters and Vendors can engage the services of a third party Coordinator to assist with notifying other Vendors, coordinating response along a supply chain, resolving disputes, etc.
• See Relationships that Go Sideways

Reporting a Vulnerability to CERT/CC

You can request the CERT/CC's assistance in coordinating a vulnerability disclosure process by submitting a report through the CERT/CC's Vulnerability Reporting Form (VRF).