Skip to content

Phases of Coordinated Vulnerability Disclosure

Below, we adapt a version of the ISO/IEC 30111:2019 Information technology—Security techniques—Vulnerability handling processes with more phases to better describe what we have seen at the CERT/CC

  • Discovery


    A researcher (not necessarily an academic one) discovers a vulnerability by using one of numerous tools and processes.

  • Reporting


    A researcher submits a vulnerability report to a software or product vendor, or a third-party coordinator if necessary.

  • Validation and Prioritization


    The analyst validates the report to ensure accuracy before action can be taken and prioritizes reports relative to others.

  • Remediation


    A remediation plan (ideally a software patch, but could also be other mechanisms) is developed and tested.

  • Public Awareness


    The vulnerability and its remediation plan is disclosed to the public.

  • Deployment


    The remediation is applied to deployed systems.

Vulnerability Handling Process Models

There have been a number of proposed models of the CVD process that have slightly varying phases. Some of the most notable include:

Who Does What?

Extending the diagram from the Roles in CVD page, we can see how the roles interact in the CVD process.

---
title: CVD Role Relationships
---
flowchart TB
    subgraph C[Coordination]
        direction LR
    subgraph A[Often Same Entity]
        Reporter([Reporter])
        Finder([Finder])
    end
    Vendor([Vendor])
    subgraph B[Sometimes Included]
        Coordinator([Coordinator])
        Deployer([Deployer])
    end

    end

    Finder -->|shares vul<br/>info with| Reporter
    Reporter -->|reports<br/>vul to| Vendor
    Reporter -.->|provides vul<br/>info to| Deployer
    Reporter -.->|reports<br/>vul to| Coordinator

    Vendor -->|coordinates<br/>with| Reporter
    Vendor -.->|coordinates<br/>with| Coordinator
    Vendor -->|provides vul info<br/>and/or patch to| Deployer

    Coordinator -.->|coordinates<br/>with| Vendor
    Coordinator -.->|coordinates<br/>with| Reporter
    Coordinator -.->|provides vul<br/>info to| Deployer

    Deployer -->|provides</br>feedback to| Vendor

    C -->|publish| Public([Public])

A mapping of CVD phases to CVD roles is provided in the following table.

Role →
Phases ↓
Finder Reporter Vendor Coordinator Deployer
Discovery Finds Vulnerabilities - - - -
Reporting Prepares report Reports vuls to vendor(s) and/or coordinator(s) Receives reports Receives reports -
Validation - - Validates reports received Validates reports received -
Prioritization - - Prioritizes reports for response Prioritizes reports for response Prioritizes fixes for deployment
Remediation - Confirms fix Prepares patches, develops advice, workarounds Coordinates multiparty response, develops advice, workarounds -
Public Awareness Publishes advisory Publishes advisory Publishes advisory Publishes advisory Receives advisory
Deployment - - - - Deploys fix or mitigation