Skip to content

Prioritizing Vulnerability Coordination

In coordinated vulnerability disclosure (CVD), there are two available decisions modelled in SSVC. The first is whether or not to coordinate a vulnerability report. This decision is also known as triage.

Coordination Triage Priority

As noted in Enumerating Decisions, the root of a decision model's identity is the combination of the stakeholder and the decision being modeled. In this case, the stakeholder is the Coordinator and the decision is the priority of coordinating a vulnerability report.

Coordinator Triage Units of Work

Coordinator Unit of Work

The unit of work for a Coordinator is usually a single report to be coordinated.

Coordinator units of work tend to coincide with whatever arrives in a single report, which spans the range from a single vulnerability affecting a specific version of an individual product from one Supplier all the way to fundamental design flaws in system specifications that could affect every Supplier and product that uses or implements the flawed specification. Coordinators may need to reorganize reports (e.g., merge, split, expand, or contract) according to their workflow demands. SSVC can be applied to either the initial report or to the results of such refinement.

Coordinator Triage Decision Outcomes

We take three priority levels in our decision about whether and how to coordinate a vulnerability based on an incoming report:

Coordinator Triage Priority

Triage Priority Description
Decline Do not act on the report.
Track Receive information about the vulnerability and monitor for status changes but do not take any overt actions.
Coordinate Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, publication, and assist another party.
  • Decline — Do not act on the report. May take different forms, including ignoring the report as well as an acknowledgement to the reporter that we will not act and suggest the reporter to go to vendor or publish if unresponsive.
  • Track — Receive information about the vulnerability and monitor for status changes but do not take any overt actions.
  • Coordinate — Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), advise only, secondary coordinator (assist another lead coordinator). See the FIRST CSIRT Services Framework for additional vulnerability management services a coordinator may provide.

Coordinator Triage Decision Points

Prior CERT/CC Work on Prioritizing Coordination Decisions

Vulnerability Response Decision Assistance (VRDA) provides a starting point for a decision model for this situation. VRDA is likely adequate for national-level CSIRTs that do general CVD, but other CSIRT types may have different needs. The CERT Guide to Coordinated Vulnerability Disclosure provides something similar for those who are deciding how to report and disclose vulnerabilities they have discovered.

The coordination and publication decisions for CERT/CC are about the social and collaborative state of vulnerability management. Our goal with the coordination decision is to base it on information that is available to the analyst when CERT/CC receives a vulnerability report. In addition to using some of the decision points common to Suppliers and Deployers (Utility and Public Safety Impact), we have added five new decision points for the coordination decision model.

The first two function as gating questions:

These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the decision model below shows.

The remaining five decision points are:

  • Report Credibility: If the report is not credible, then CERT/CC will decline the case.
  • Supplier Cardinality: Cases involving multiple suppliers can get complicated very quickly, so we are more likely to get involved in those cases.
  • Supplier Engagement: If the suppliers are already engaged in a case, there is usually less for a coordinator to do, making it less likely that we will coordinate a case.
  • Utility: If the vulnerability has high utility, then CERT/CC is more likely to coordinate the case.
  • Public Safety Impact: If the vulnerability has significant public safety impact, then CERT/CC is more likely to coordinate the case.

More detail about each of these decision points is provided at the links above, here we provide a brief summary of each.

Report Public v1.0.0

Is a viable report of the details of the vulnerability already publicly available?

Value Definition
Yes A public report of the vulnerability exists.
No No public report of the vulnerability exists.
{
  "namespace": "ssvc",
  "version": "1.0.0",
  "schemaVersion": "1-0-1",
  "key": "RP",
  "name": "Report Public",
  "description": "Is a viable report of the details of the vulnerability already publicly available?",
  "values": [
    {
      "key": "Y",
      "name": "Yes",
      "description": "A public report of the vulnerability exists."
    },
    {
      "key": "N",
      "name": "No",
      "description": "No public report of the vulnerability exists."
    }
  ]
}

Supplier Contacted v1.0.0

Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?

Value Definition
No The supplier has not been contacted.
Yes The supplier has been contacted.
{
  "namespace": "ssvc",
  "version": "1.0.0",
  "schemaVersion": "1-0-1",
  "key": "SC",
  "name": "Supplier Contacted",
  "description": "Has the reporter made a good-faith effort to contact the supplier of the vulnerable component using a quality contact method?",
  "values": [
    {
      "key": "N",
      "name": "No",
      "description": "The supplier has not been contacted."
    },
    {
      "key": "Y",
      "name": "Yes",
      "description": "The supplier has been contacted."
    }
  ]
}

Report Credibility v1.0.0

Is the report credible?

Value Definition
Not Credible The report is not credible.
Credible The report is credible.
{
  "namespace": "ssvc",
  "version": "1.0.0",
  "schemaVersion": "1-0-1",
  "key": "RC",
  "name": "Report Credibility",
  "description": "Is the report credible?",
  "values": [
    {
      "key": "NC",
      "name": "Not Credible",
      "description": "The report is not credible."
    },
    {
      "key": "C",
      "name": "Credible",
      "description": "The report is credible."
    }
  ]
}

Supplier Cardinality v1.0.0

How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?

Value Definition
One There is only one supplier of the vulnerable component.
Multiple There are multiple suppliers of the vulnerable component.
{
  "namespace": "ssvc",
  "version": "1.0.0",
  "schemaVersion": "1-0-1",
  "key": "SC",
  "name": "Supplier Cardinality",
  "description": "How many suppliers are responsible for the vulnerable component and its remediation or mitigation plan?",
  "values": [
    {
      "key": "O",
      "name": "One",
      "description": "There is only one supplier of the vulnerable component."
    },
    {
      "key": "M",
      "name": "Multiple",
      "description": "There are multiple suppliers of the vulnerable component."
    }
  ]
}

Supplier Engagement v1.0.0

Is the supplier responding to the reporter’s contact effort and actively participating in the coordination effort?

Value Definition
Active The supplier is responding to the reporter’s contact effort and actively participating in the coordination effort.
Unresponsive The supplier is not responding to the reporter’s contact effort and not actively participating in the coordination effort.
{
  "namespace": "ssvc",
  "version": "1.0.0",
  "schemaVersion": "1-0-1",
  "key": "SE",
  "name": "Supplier Engagement",
  "description": "Is the supplier responding to the reporter\u2019s contact effort and actively participating in the coordination effort?",
  "values": [
    {
      "key": "A",
      "name": "Active",
      "description": "The supplier is responding to the reporter\u2019s contact effort and actively participating in the coordination effort."
    },
    {
      "key": "U",
      "name": "Unresponsive",
      "description": "The supplier is not responding to the reporter\u2019s contact effort and not actively participating in the coordination effort."
    }
  ]
}

Utility v1.0.1

The Usefulness of the Exploit to the Adversary

Value Definition
Laborious Automatable:No AND Value Density:Diffuse
Efficient (Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)
Super Effective Automatable:Yes AND Value Density:Concentrated
{
  "namespace": "ssvc",
  "version": "1.0.1",
  "schemaVersion": "1-0-1",
  "key": "U",
  "name": "Utility",
  "description": "The Usefulness of the Exploit to the Adversary",
  "values": [
    {
      "key": "L",
      "name": "Laborious",
      "description": "Automatable:No AND Value Density:Diffuse"
    },
    {
      "key": "E",
      "name": "Efficient",
      "description": "(Automatable:Yes AND Value Density:Diffuse) OR (Automatable:No AND Value Density:Concentrated)"
    },
    {
      "key": "S",
      "name": "Super Effective",
      "description": "Automatable:Yes AND Value Density:Concentrated"
    }
  ]
}

Public Safety Impact v2.0.1

A coarse-grained representation of impact to public safety.

Value Definition
Minimal Safety Impact:Negligible
Significant Safety Impact:(Marginal OR Critical OR Catastrophic)
{
  "namespace": "ssvc",
  "version": "2.0.1",
  "schemaVersion": "1-0-1",
  "key": "PSI",
  "name": "Public Safety Impact",
  "description": "A coarse-grained representation of impact to public safety.",
  "values": [
    {
      "key": "M",
      "name": "Minimal",
      "description": "Safety Impact:Negligible"
    },
    {
      "key": "S",
      "name": "Significant",
      "description": "Safety Impact:(Marginal OR Critical OR Catastrophic)"
    }
  ]
}

Coordinator Triage Decision Model

The following example decision model is a policy that closely follows our own decision model at the CERT/CC. Other coordinators should consider customizing the tree to their needs, as described in Tree Construction and Customization Guidance.

SSVC Customization in Action: CISA

CISA has customized an SSVC decision model to suit their coordination needs. It is available at https://www.cisa.gov/ssvc.

Table of Values

Scroll to the right to see the full table

The table below is scrollable to the right.

row Public Contacted Report_Credibility Cardinality Engagement Utility Public_Safety_Impact Priority
1 no yes no one active laborious minimal decline
2 no yes no one active laborious significant decline
3 no yes no one active efficient minimal decline
4 no yes no one active efficient significant track
5 no yes no one active super effective minimal decline
6 no yes no one active super effective significant track
7 no yes no one unresponsive laborious minimal decline
8 no yes no one unresponsive laborious significant decline
9 no yes no one unresponsive efficient minimal decline
10 no yes no one unresponsive efficient significant track
11 no yes no one unresponsive super effective minimal decline
12 no yes no one unresponsive super effective significant track
13 no yes no multiple active laborious minimal decline
14 no yes no multiple active laborious significant track
15 no yes no multiple active efficient minimal decline
16 no yes no multiple active efficient significant track
17 no yes no multiple active super effective minimal track
18 no yes no multiple active super effective significant coordinate
19 no yes no multiple unresponsive laborious minimal decline
20 no yes no multiple unresponsive laborious significant track
21 no yes no multiple unresponsive efficient minimal decline
22 no yes no multiple unresponsive efficient significant track
23 no yes no multiple unresponsive super effective minimal track
24 no yes no multiple unresponsive super effective significant coordinate
25 no yes yes one active laborious minimal decline
26 no yes yes one active laborious significant decline
27 no yes yes one active efficient minimal decline
28 no yes yes one active efficient significant track
29 no yes yes one active super effective minimal decline
30 no yes yes one active super effective significant track
31 no yes yes one unresponsive laborious minimal track
32 no yes yes one unresponsive laborious significant coordinate
33 no yes yes one unresponsive efficient minimal coordinate
34 no yes yes one unresponsive efficient significant coordinate
35 no yes yes one unresponsive super effective minimal coordinate
36 no yes yes one unresponsive super effective significant coordinate
37 no yes yes multiple active laborious minimal decline
38 no yes yes multiple active laborious significant track
39 no yes yes multiple active efficient minimal decline
40 no yes yes multiple active efficient significant track
41 no yes yes multiple active super effective minimal coordinate
42 no yes yes multiple active super effective significant coordinate
43 no yes yes multiple unresponsive laborious minimal coordinate
44 no yes yes multiple unresponsive laborious significant coordinate
45 no yes yes multiple unresponsive efficient minimal coordinate
46 no yes yes multiple unresponsive efficient significant coordinate
47 no yes yes multiple unresponsive super effective minimal coordinate
48 no yes yes multiple unresponsive super effective significant coordinate
49 yes yes no multiple active super effective significant coordinate
50 yes yes no multiple unresponsive super effective significant coordinate
51 yes yes yes multiple active super effective significant coordinate
52 yes yes yes multiple unresponsive super effective significant coordinate
53 yes no no multiple active super effective significant coordinate
54 yes no no multiple unresponsive super effective significant coordinate
55 yes no yes multiple active super effective significant coordinate
56 yes no yes multiple unresponsive super effective significant coordinate
57 yes yes no one active laborious minimal decline
58 yes yes no one active efficient minimal decline
59 yes yes no one unresponsive laborious minimal decline
60 yes yes no one unresponsive efficient minimal decline
61 yes yes yes one active laborious minimal decline
62 yes yes yes one active efficient minimal decline
63 yes yes yes one unresponsive laborious minimal decline
64 yes yes yes one unresponsive efficient minimal decline
65 yes no no one active laborious minimal decline
66 yes no no one active efficient minimal decline
67 yes no no one unresponsive laborious minimal decline
68 yes no no one unresponsive efficient minimal decline
69 yes no yes one active laborious minimal decline
70 yes no yes one active efficient minimal decline
71 yes no yes one unresponsive laborious minimal decline
72 yes no yes one unresponsive efficient minimal decline
73 no no no multiple active super effective significant coordinate
74 no no no multiple unresponsive super effective significant coordinate
75 no no yes multiple active super effective significant coordinate
76 no no yes multiple unresponsive super effective significant coordinate
77 no no no one active laborious minimal decline
78 no no no one active efficient minimal decline
79 no no no one unresponsive laborious minimal decline
80 no no no one unresponsive efficient minimal decline
81 no no yes one active laborious minimal decline
82 no no yes one active efficient minimal decline
83 no no yes one unresponsive laborious minimal decline
84 no no yes one unresponsive efficient minimal decline