Prioritizing Vulnerability Coordination
In coordinated vulnerability disclosure (CVD), there are two available decisions modelled in SSVC. The first is whether or not to coordinate a vulnerability report. This decision is also known as triage.
Coordination Triage Priority
As noted in Enumerating Decisions, the root of a decision model's identity is the combination of the stakeholder and the decision being modeled. In this case, the stakeholder is the Coordinator and the decision is the priority of coordinating a vulnerability report.
Coordinator Triage Units of Work
Coordinator Unit of Work
The unit of work for a Coordinator is usually a single report to be coordinated.
Coordinator units of work tend to coincide with whatever arrives in a single report, which spans the range from a single vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design flaws in system specifications that could affect every Supplier and product that uses or implements the flawed specification. Coordinators may need to reorganize reports (e.g., merge, split, expand, or contract) according to their workflow demands. SSVC can be applied to either the initial report or to the results of such refinement.
Coordinator Triage Decision Outcomes
We take three priority levels in our decision about whether and how to coordinate a vulnerability based on an incoming report:
Coordinator Triage Priority
| Triage Priority | Description |
|---|---|
| Decline | Do not act on the report. |
| Track | Receive information about the vulnerability and monitor for status changes but do not take any overt actions. |
| Coordinate | Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, publication, and assist another party. |
- Decline — Do not act on the report. May take different forms, including ignoring the report as well as an acknowledgement to the reporter that we will not act and suggest the reporter to go to vendor or publish if unresponsive.
- Track — Receive information about the vulnerability and monitor for status changes but do not take any overt actions.
- Coordinate — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), advise only, secondary coordinator (assist another lead coordinator). See the FIRST CSIRT Services Framework for additional vulnerability management services a coordinator may provide.
Coordinator Triage Decision Points
Prior CERT/CC Work on Prioritizing Coordination Decisions
Vulnerability Response Decision Assistance (VRDA) provides a starting point for a decision model for this situation. VRDA is likely adequate for national-level CSIRTs that do general CVD, but other CSIRT types may have different needs. The CERT Guide to Coordinated Vulnerability Disclosure provides something similar for those who are deciding how to report and disclose vulnerabilities they have discovered.
The coordination and publication decisions for CERT/CC are about the social and collaborative state of vulnerability management. Our goal with the coordination decision is to base it on information that is available to the analyst when CERT/CC receives a vulnerability report. In addition to using some of the decision points common to Suppliers and Deployers (Utility and Public Safety Impact), we have added five new decision points for the coordination decision model.
The first two function as gating questions:
- Report Public: If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact.
- Supplier Contacted: If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact. In this case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.
These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the decision model below shows.
The remaining five decision points are:
- Report Credibility: If the report is not credible, then CERT/CC will decline the case.
- Supplier Cardinality: Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases.
- Supplier Engagement: If the suppliers are already engaged in a case, there is usually less for a coordinator to do, making it less likely that we will coordinate a case.
- Utility: If the vulnerability has high utility, then CERT/CC is more likely to coordinate the case.
- Public Safety Impact: If the vulnerability has significant public safety impact, then CERT/CC is more likely to coordinate the case.
More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.
Report Public (ssvc:RP:1.0.0)
Is a viable report of the details of the vulnerability already publicly available?
| Value | Definition |
|---|---|
| Yes (Y) | A public report of the vulnerability exists. |
| No (N) | No public report of the vulnerability exists. |
Report Public (ssvc:RP:1.0.0) JSON Example
{
"name": "Report Public",
"description": "Is a viable report of the details of the vulnerability already publicly available?",
"namespace": "ssvc",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "RP",
"values": [
{
"key": "Y",
"name": "Yes",
"description": "A public report of the vulnerability exists."
},
{
"key": "N",
"name": "No",
"description": "No public report of the vulnerability exists."
}
]
}
Supplier Contacted (ssvc:SCON:1.0.0)
Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?
| Value | Definition |
|---|---|
| No (N) | The supplier has not been contacted. |
| Yes (Y) | The supplier has been contacted. |
Supplier Contacted (ssvc:SCON:1.0.0) JSON Example
{
"name": "Supplier Contacted",
"description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
"namespace": "ssvc",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "SCON",
"values": [
{
"key": "N",
"name": "No",
"description": "The supplier has not been contacted."
},
{
"key": "Y",
"name": "Yes",
"description": "The supplier has been contacted."
}
]
}
Report Credibility (ssvc:RC:1.0.0)
Is the report credible?
| Value | Definition |
|---|---|
| Not Credible (NC) | The report is not credible. |
| Credible (C) | The report is credible. |
Report Credibility (ssvc:RC:1.0.0) JSON Example
{
"name": "Report Credibility",
"description": "Is the report credible?",
"namespace": "ssvc",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "RC",
"values": [
{
"key": "NC",
"name": "Not Credible",
"description": "The report is not credible."
},
{
"key": "C",
"name": "Credible",
"description": "The report is credible."
}
]
}
Supplier Cardinality (ssvc:SC:1.0.0)
How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?
| Value | Definition |
|---|---|
| One (O) | There is only one supplier of the vulnerable component. |
| Multiple (M) | There are multiple suppliers of the vulnerable component. |
Supplier Cardinality (ssvc:SC:1.0.0) JSON Example
{
"name": "Supplier Cardinality",
"description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
"namespace": "ssvc",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "SC",
"values": [
{
"key": "O",
"name": "One",
"description": "There is only one supplier of the vulnerable component."
},
{
"key": "M",
"name": "Multiple",
"description": "There are multiple suppliers of the vulnerable component."
}
]
}
Supplier Engagement (ssvc:SE:1.0.0)
Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?
| Value | Definition |
|---|---|
| Active (A) | The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort. |
| Unresponsive (U) | The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort. |
Supplier Engagement (ssvc:SE:1.0.0) JSON Example
{
"name": "Supplier Engagement",
"description": "Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?",
"namespace": "ssvc",
"version": "1.0.0",
"schemaVersion": "1-0-1",
"key": "SE",
"values": [
{
"key": "A",
"name": "Active",
"description": "The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort."
},
{
"key": "U",
"name": "Unresponsive",
"description": "The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort."
}
]
}
Utility (ssvc:U:1.0.1)
The Usefulness of the Exploit to the Adversary
| Value | Definition |
|---|---|
| Laborious (L) | Automatable:No AND Value Density:Diffuse |
| Efficient (E) | (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated) |
| Super Effective (S) | Automatable:Yes AND Value Density:Concentrated |
Utility (ssvc:U:1.0.1) JSON Example
{
"name": "Utility",
"description": "The Usefulness of the Exploit to the Adversary",
"namespace": "ssvc",
"version": "1.0.1",
"schemaVersion": "1-0-1",
"key": "U",
"values": [
{
"key": "L",
"name": "Laborious",
"description": "Automatable:No AND Value Density:Diffuse"
},
{
"key": "E",
"name": "Efficient",
"description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
},
{
"key": "S",
"name": "Super Effective",
"description": "Automatable:Yes AND Value Density:Concentrated"
}
]
}
Public Safety Impact (ssvc:PSI:2.0.1)
A coarse-grained representation of impact to public safety.
| Value | Definition |
|---|---|
| Minimal (M) | Safety Impact:Negligible |
| Significant (S) | Safety Impact:(Marginal OR Critical OR Catastrophic) |
Public Safety Impact (ssvc:PSI:2.0.1) JSON Example
{
"name": "Public Safety Impact",
"description": "A coarse-grained representation of impact to public safety.",
"namespace": "ssvc",
"version": "2.0.1",
"schemaVersion": "1-0-1",
"key": "PSI",
"values": [
{
"key": "M",
"name": "Minimal",
"description": "Safety Impact:Negligible"
},
{
"key": "S",
"name": "Significant",
"description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
}
]
}
Coordinator Triage Decision Model
The following example decision model is a policy that closely follows our own decision model at the CERT/CC. Other coordinators should consider customizing the tree to their needs, as described in Tree Construction and Customization Guidance.
SSVC Customization in Action: CISA
CISA has customized an SSVC decision model to suit their coordination needs. It is available at https://www.cisa.gov/ssvc.
Table of Values
Scroll to the right to see the full table
The table below is scrollable to the right.
| row | Public | Contacted | Report_Credibility | Cardinality | Engagement | Utility | Public_Safety_Impact | Priority |
|---|---|---|---|---|---|---|---|---|
| 1 | no | yes | no | one | active | laborious | minimal | decline |
| 2 | no | yes | no | one | active | laborious | significant | decline |
| 3 | no | yes | no | one | active | efficient | minimal | decline |
| 4 | no | yes | no | one | active | efficient | significant | track |
| 5 | no | yes | no | one | active | super effective | minimal | decline |
| 6 | no | yes | no | one | active | super effective | significant | track |
| 7 | no | yes | no | one | unresponsive | laborious | minimal | decline |
| 8 | no | yes | no | one | unresponsive | laborious | significant | decline |
| 9 | no | yes | no | one | unresponsive | efficient | minimal | decline |
| 10 | no | yes | no | one | unresponsive | efficient | significant | track |
| 11 | no | yes | no | one | unresponsive | super effective | minimal | decline |
| 12 | no | yes | no | one | unresponsive | super effective | significant | track |
| 13 | no | yes | no | multiple | active | laborious | minimal | decline |
| 14 | no | yes | no | multiple | active | laborious | significant | track |
| 15 | no | yes | no | multiple | active | efficient | minimal | decline |
| 16 | no | yes | no | multiple | active | efficient | significant | track |
| 17 | no | yes | no | multiple | active | super effective | minimal | track |
| 18 | no | yes | no | multiple | active | super effective | significant | coordinate |
| 19 | no | yes | no | multiple | unresponsive | laborious | minimal | decline |
| 20 | no | yes | no | multiple | unresponsive | laborious | significant | track |
| 21 | no | yes | no | multiple | unresponsive | efficient | minimal | decline |
| 22 | no | yes | no | multiple | unresponsive | efficient | significant | track |
| 23 | no | yes | no | multiple | unresponsive | super effective | minimal | track |
| 24 | no | yes | no | multiple | unresponsive | super effective | significant | coordinate |
| 25 | no | yes | yes | one | active | laborious | minimal | decline |
| 26 | no | yes | yes | one | active | laborious | significant | decline |
| 27 | no | yes | yes | one | active | efficient | minimal | decline |
| 28 | no | yes | yes | one | active | efficient | significant | track |
| 29 | no | yes | yes | one | active | super effective | minimal | decline |
| 30 | no | yes | yes | one | active | super effective | significant | track |
| 31 | no | yes | yes | one | unresponsive | laborious | minimal | track |
| 32 | no | yes | yes | one | unresponsive | laborious | significant | coordinate |
| 33 | no | yes | yes | one | unresponsive | efficient | minimal | coordinate |
| 34 | no | yes | yes | one | unresponsive | efficient | significant | coordinate |
| 35 | no | yes | yes | one | unresponsive | super effective | minimal | coordinate |
| 36 | no | yes | yes | one | unresponsive | super effective | significant | coordinate |
| 37 | no | yes | yes | multiple | active | laborious | minimal | decline |
| 38 | no | yes | yes | multiple | active | laborious | significant | track |
| 39 | no | yes | yes | multiple | active | efficient | minimal | decline |
| 40 | no | yes | yes | multiple | active | efficient | significant | track |
| 41 | no | yes | yes | multiple | active | super effective | minimal | coordinate |
| 42 | no | yes | yes | multiple | active | super effective | significant | coordinate |
| 43 | no | yes | yes | multiple | unresponsive | laborious | minimal | coordinate |
| 44 | no | yes | yes | multiple | unresponsive | laborious | significant | coordinate |
| 45 | no | yes | yes | multiple | unresponsive | efficient | minimal | coordinate |
| 46 | no | yes | yes | multiple | unresponsive | efficient | significant | coordinate |
| 47 | no | yes | yes | multiple | unresponsive | super effective | minimal | coordinate |
| 48 | no | yes | yes | multiple | unresponsive | super effective | significant | coordinate |
| 49 | yes | yes | no | multiple | active | super effective | significant | coordinate |
| 50 | yes | yes | no | multiple | unresponsive | super effective | significant | coordinate |
| 51 | yes | yes | yes | multiple | active | super effective | significant | coordinate |
| 52 | yes | yes | yes | multiple | unresponsive | super effective | significant | coordinate |
| 53 | yes | no | no | multiple | active | super effective | significant | coordinate |
| 54 | yes | no | no | multiple | unresponsive | super effective | significant | coordinate |
| 55 | yes | no | yes | multiple | active | super effective | significant | coordinate |
| 56 | yes | no | yes | multiple | unresponsive | super effective | significant | coordinate |
| 57 | yes | yes | no | one | active | laborious | minimal | decline |
| 58 | yes | yes | no | one | active | efficient | minimal | decline |
| 59 | yes | yes | no | one | unresponsive | laborious | minimal | decline |
| 60 | yes | yes | no | one | unresponsive | efficient | minimal | decline |
| 61 | yes | yes | yes | one | active | laborious | minimal | decline |
| 62 | yes | yes | yes | one | active | efficient | minimal | decline |
| 63 | yes | yes | yes | one | unresponsive | laborious | minimal | decline |
| 64 | yes | yes | yes | one | unresponsive | efficient | minimal | decline |
| 65 | yes | no | no | one | active | laborious | minimal | decline |
| 66 | yes | no | no | one | active | efficient | minimal | decline |
| 67 | yes | no | no | one | unresponsive | laborious | minimal | decline |
| 68 | yes | no | no | one | unresponsive | efficient | minimal | decline |
| 69 | yes | no | yes | one | active | laborious | minimal | decline |
| 70 | yes | no | yes | one | active | efficient | minimal | decline |
| 71 | yes | no | yes | one | unresponsive | laborious | minimal | decline |
| 72 | yes | no | yes | one | unresponsive | efficient | minimal | decline |
| 73 | no | no | no | multiple | active | super effective | significant | coordinate |
| 74 | no | no | no | multiple | unresponsive | super effective | significant | coordinate |
| 75 | no | no | yes | multiple | active | super effective | significant | coordinate |
| 76 | no | no | yes | multiple | unresponsive | super effective | significant | coordinate |
| 77 | no | no | no | one | active | laborious | minimal | decline |
| 78 | no | no | no | one | active | efficient | minimal | decline |
| 79 | no | no | no | one | unresponsive | laborious | minimal | decline |
| 80 | no | no | no | one | unresponsive | efficient | minimal | decline |
| 81 | no | no | yes | one | active | laborious | minimal | decline |
| 82 | no | no | yes | one | active | efficient | minimal | decline |
| 83 | no | no | yes | one | unresponsive | laborious | minimal | decline |
| 84 | no | no | yes | one | unresponsive | efficient | minimal | decline |