Roles in Coordinated Vulnerability Disclosure
Certain roles are critical to the Coordinated Vulnerability Disclosure process, as described in the following sections:
- Finder (Discoverer) -- the individual or organization that identifies the vulnerability
- Reporter -- the individual or organization that notifies the vendor of the vulnerability
- Vendor -- the individual or organization that created or maintains the product that is vulnerable
- Deployer -- the individual or organization that must deploy a patch or take other remediation action
- Coordinator -- an individual or organization that facilitates the coordinated response process
- Other Roles -- other roles that may be involved in the CVD process
Participants Can Play Multiple Roles
It is possible and often the case that individuals and organizations play multiple roles. For example, a cloud service provider might act as both vendor and deployer, while a researcher might act as both finder and reporter. A vendor may also be both a deployer and a coordinator. In fact, the CERT/CC has played all five roles over time, although not usually simultaneously.
Relationships Between Roles
Although a more detailed description of the CVD process is provided in Phases of CVD, a simple sketch of the relationships between these roles is shown in the figure below.
---
title: Coordination Relationships in CVD
---
flowchart TB
subgraph C[Coordination]
direction LR
subgraph A[Often<br/>Same<br/>Entity]
reporter([Reporter])
finder([Finder])
end
vendor([Vendor])
subgraph D[Sometimes<br/>Included]
coordinator([Coordinator])
deployer([Deployer])
end
end
public([Public])
finder <--> reporter
reporter <--> vendor
vendor <-.-> coordinator
reporter <-.-> coordinator
vendor <-.-> deployer
coordinator <-.-> deployer
reporter <-.-> deployer
C -->|publish| public