Initializing a Case
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
The process of initializing a case involves creating the case and then adding at least one report, at least one participant, and any notes to the case.
flowchart LR
subgraph as:Create
CreateCase
end
subgraph as:Add
AddReportToCase
AddParticipantToCase
AddNoteToCase
end
CreateCase --> AddReportToCase
CreateCase --> AddParticipantToCase
CreateCase --> AddNoteToCaseCombining steps
It is not always necessary for these steps to be performed individually. It would be reasonable to create a case with the report and appropriate participants and notes all in the initial case object. We have broken these steps out individually to make it easier to understand the process.
Create Case
A vendor creates a case in response to a vulnerability report. Here we show a case creation including a single participant and a pointer to a report. In practice, a case may have multiple participants and (less often) multiple reports. See also Initializing a Case.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Create",
"id": "https://for.example/51a2c840-1dc3-4076-9cef-904f6859253b",
"name": "https://vultron.example/organizations/vendor Create VENDOR Case #20991514",
"context": "https://vultron.example/reports/FDR-8675309",
"content": "We've created a case from this report.",
"actor": "https://vultron.example/organizations/vendor",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityCase",
"id": "https://vultron.example/cases/VDR-20991514",
"name": "VENDOR Case #20991514",
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"caseParticipants": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseParticipant",
"id": "https://for.example/fe6b8f8c-61ab-4510-8353-2e32c1dd5447",
"name": "VendorCo",
"context": null,
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"actor": "https://vultron.example/organizations/vendor",
"caseRoles": [
"VENDOR"
],
"participantStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "ParticipantStatus",
"id": "https://for.example/07d68a73-6f5b-4dd3-a78e-1cd9bad888f6",
"name": "REPORT_MANAGEMENT_START vfd",
"context": null,
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"actor": "https://vultron.example/organizations/vendor",
"rmState": "REPORT_MANAGEMENT_START",
"vfdState": "vfd",
"caseEngagement": true,
"embargoAdherence": true
}
]
}
],
"vulnerabilityReports": [
"https://vultron.example/reports/FDR-8675309"
],
"caseStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseStatus",
"id": "https://for.example/bd372d16-c66f-4f56-92b8-632fe87820db",
"name": "EMBARGO_MANAGEMENT_NONE pxa",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"emState": "EMBARGO_MANAGEMENT_NONE",
"pxaState": "pxa"
}
],
"activeEmbargo": null
}
}
Add Report to Case
Below we demonstrate how to add a report to a case. As noted above, this might more commonly be done in the initial case creation process. However, we show it here since there are times it may be necessary to treat it separately. For example, when a second report arrives for a case that already has a report.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Add",
"id": "https://for.example/980e4407-9fc8-4184-9a71-835144e8f483",
"name": "https://vultron.example/organizations/vendor Add https://vultron.example/reports/FDR-8675309 to https://vultron.example/cases/VDR-20991514",
"content": "We're adding this report to this case.",
"actor": "https://vultron.example/organizations/vendor",
"target": "https://vultron.example/cases/VDR-20991514",
"object": "https://vultron.example/reports/FDR-8675309"
}
Add Participant to Case
Here we provide two examples of adding a participant to a case.
Vendor adds self to case
In the first example, the vendor actor adds itself to the case in the vendor role. Normally, this might not be done as a separate step, but would be done as part of the creation of the case itself.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Add",
"id": "https://for.example/3ccbd344-d2aa-469f-aa89-1034e3c28004",
"name": "https://vultron.example/organizations/vendor Add VendorCo to https://vultron.example/cases/VDR-20991514",
"content": "We're adding ourselves as a participant to this case.",
"actor": "https://vultron.example/organizations/vendor",
"target": "https://vultron.example/cases/VDR-20991514",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseParticipant",
"id": "https://vultron.example/cases/VDR-20991514/participants/vendor",
"name": "VendorCo",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"actor": "https://vultron.example/organizations/vendor",
"caseRoles": [
"VENDOR"
],
"participantStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "ParticipantStatus",
"id": "https://for.example/d7446407-5ea5-4160-8494-22719453fa9a",
"name": "REPORT_MANAGEMENT_RECEIVED Vfd",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"actor": "https://vultron.example/organizations/vendor",
"rmState": "REPORT_MANAGEMENT_RECEIVED",
"vfdState": "Vfd",
"caseEngagement": true,
"embargoAdherence": true
}
]
}
}
Vendor adds finder to case
In the second example, the vendor actor adds the finder to the case in the finder and reporter roles. Again, this might not be done as a separate step, and could be done as part of the case creation step. But we include it here to show how to add multiple participants to a case.
For example, if a finder reported a vulnerability that was already known to the vendor, the vendor might add the finder to the case in the reporter role, but not in the finder role.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Add",
"id": "https://for.example/90a21110-9306-4b83-ae4e-3805f8ee9a4f",
"name": "https://vultron.example/organizations/vendor Add Finn der Vul to https://vultron.example/cases/VDR-20991514",
"content": "We're adding the finder as a participant to this case.",
"actor": "https://vultron.example/organizations/vendor",
"target": "https://vultron.example/cases/VDR-20991514",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseParticipant",
"id": "https://vultron.example/cases/VDR-20991514/participants/finn",
"name": "Finn der Vul",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"actor": "https://vultron.example/users/finn",
"caseRoles": [
"FINDER",
"REPORTER"
],
"participantStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "ParticipantStatus",
"id": "https://for.example/d32e4549-fd4f-4d05-91cf-fbd4747778e0",
"name": "REPORT_MANAGEMENT_ACCEPTED vfd",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"actor": "https://vultron.example/users/finn",
"rmState": "REPORT_MANAGEMENT_ACCEPTED",
"vfdState": "vfd",
"caseEngagement": true,
"embargoAdherence": true
}
]
}
}
Add Note to Case
If we think of a case as being a collection of information about a particular report or set of reports, then a note can be thought of as a comment on that information. Here we show a note being added to a case.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Add",
"id": "https://for.example/94814897-246c-4fe5-a279-6547f29ad995",
"name": "https://vultron.example/users/finn Add Note to https://vultron.example/cases/VDR-20991514",
"actor": "https://vultron.example/users/finn",
"target": "https://vultron.example/cases/VDR-20991514",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "Note",
"id": "https://vultron.example/notes/1",
"name": "Note",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:18+00:00",
"updated": "2024-07-09T20:17:18+00:00",
"content": "This is a note."
}
}
Add vs Create+Target
Creating a Note and adding it to a Case is functionally equivalent to Creating
a Note with the Case as the target. We use the as:Add activity to represent
the addition of an existing object to another object, such as adding a note to
a case. However, it is likely acceptable within an ActivityPub implementation to
use the as:Create activity, since the as:Create activity includes a target
property that can be used to specify the object to which the newly created object
is being attached.