Skip to content

Initializing a CaseParticipant

This page is not normative

This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.

It may not always be necessary to generate a new CreateParticipant activity when creating a new VulnerabilityCase object. It is possible to create a new VulnerabilityCase object and add a new CaseParticipant object to it in a single Create activity.

However, there times when all the case participants are not known at the time the case is created. For example, a finder might report a vulnerability to a coordinator, who then creates a new case. The relevant vendors might not be known at the time the case is created, but they might be added later. In this scenario, the coordinator would create the case with just the coordinator and the finder/reporter to start, and then add the vendors as participants in separate steps as they are identified.

What's the difference between a Case Participant and an Actor?

ActivityStreams actor objects are used to represent long-lived identities of people, organizations, groups, or software agents. The CaseParticipant object is a wrapper around an as:Actor object that associates the actor with a specific VulnerabilityCase object. This is done so that an actor can be associated with multiple cases, each with different roles and statuses contextual to the individual cases.

flowchart LR
    subgraph as:Create
        CreateParticipant
    end
    subgraph as:Add
        AddParticipantToCase
    end
    CreateParticipant --> AddParticipantToCase

Create Participant

In the following example, the vendor actor creates a coordinator participant for a case.

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "asType": "Create",
  "id": "https://for.example/0c5db03d-b9f5-4365-8187-2e1fd29abba6",
  "name": "https://vultron.example/organizations/vendor Create Coordinator LLC to https://vultron.example/cases/VDR-20991514",
  "content": "We're adding Coordinator LLC to the case.",
  "actor": "https://vultron.example/organizations/vendor",
  "target": "https://vultron.example/cases/VDR-20991514",
  "object": {
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "CaseParticipant",
    "id": "https://vultron.example/cases/VDR-20991514/participants/https://vultron.example/organizations/coordinator",
    "name": "Coordinator LLC",
    "context": "https://vultron.example/cases/VDR-20991514",
    "published": "2024-07-09T20:17:18+00:00",
    "updated": "2024-07-09T20:17:18+00:00",
    "actor": "https://vultron.example/organizations/coordinator",
    "caseRoles": [
      "COORDINATOR"
    ],
    "participantStatus": [
      {
        "@context": "https://www.w3.org/ns/activitystreams",
        "type": "ParticipantStatus",
        "id": "https://for.example/381fedc7-aa6b-4ccb-a33d-dedec253044a",
        "name": "REPORT_MANAGEMENT_START vfd",
        "context": "https://vultron.example/cases/VDR-20991514",
        "published": "2024-07-09T20:17:18+00:00",
        "updated": "2024-07-09T20:17:18+00:00",
        "actor": "https://vultron.example/organizations/coordinator",
        "rmState": "REPORT_MANAGEMENT_START",
        "vfdState": "vfd",
        "caseEngagement": true,
        "embargoAdherence": true
      }
    ]
  }
}

Add Participant to Case

Here we provide two examples of adding a participant to a case.

Vendor adds self to case

In the first example, the vendor actor adds itself to the case in the vendor role. Normally, this might not be done as a separate step, but would be done as part of the creation of the case itself.

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "asType": "Add",
  "id": "https://for.example/b872970e-aabb-46f6-a2db-33c5c29aee01",
  "name": "https://vultron.example/organizations/vendor Add VendorCo to https://vultron.example/cases/VDR-20991514",
  "content": "We're adding ourselves as a participant to this case.",
  "actor": "https://vultron.example/organizations/vendor",
  "target": "https://vultron.example/cases/VDR-20991514",
  "object": {
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "CaseParticipant",
    "id": "https://vultron.example/cases/VDR-20991514/participants/vendor",
    "name": "VendorCo",
    "context": "https://vultron.example/cases/VDR-20991514",
    "published": "2024-07-09T20:17:18+00:00",
    "updated": "2024-07-09T20:17:18+00:00",
    "actor": "https://vultron.example/organizations/vendor",
    "caseRoles": [
      "VENDOR"
    ],
    "participantStatus": [
      {
        "@context": "https://www.w3.org/ns/activitystreams",
        "type": "ParticipantStatus",
        "id": "https://for.example/cbedf981-1863-4384-9cf3-704a97450082",
        "name": "REPORT_MANAGEMENT_RECEIVED Vfd",
        "context": "https://vultron.example/cases/VDR-20991514",
        "published": "2024-07-09T20:17:18+00:00",
        "updated": "2024-07-09T20:17:18+00:00",
        "actor": "https://vultron.example/organizations/vendor",
        "rmState": "REPORT_MANAGEMENT_RECEIVED",
        "vfdState": "Vfd",
        "caseEngagement": true,
        "embargoAdherence": true
      }
    ]
  }
}

Vendor adds finder to case

In the second example, the vendor actor adds the finder to the case in the finder and reporter roles. Again, this might not be done as a separate step, and could be done as part of the case creation step. But we include it here to show how to add multiple participants to a case.

For example, if a finder reported a vulnerability that was already known to the vendor, the vendor might add the finder to the case in the reporter role, but not in the finder role.

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "asType": "Add",
  "id": "https://for.example/cdbceb55-fb39-4c12-bcea-df36c8157780",
  "name": "https://vultron.example/organizations/vendor Add Finn der Vul to https://vultron.example/cases/VDR-20991514",
  "content": "We're adding the finder as a participant to this case.",
  "actor": "https://vultron.example/organizations/vendor",
  "target": "https://vultron.example/cases/VDR-20991514",
  "object": {
    "@context": "https://www.w3.org/ns/activitystreams",
    "type": "CaseParticipant",
    "id": "https://vultron.example/cases/VDR-20991514/participants/finn",
    "name": "Finn der Vul",
    "context": "https://vultron.example/cases/VDR-20991514",
    "published": "2024-07-09T20:17:18+00:00",
    "updated": "2024-07-09T20:17:18+00:00",
    "actor": "https://vultron.example/users/finn",
    "caseRoles": [
      "FINDER",
      "REPORTER"
    ],
    "participantStatus": [
      {
        "@context": "https://www.w3.org/ns/activitystreams",
        "type": "ParticipantStatus",
        "id": "https://for.example/7f0464ea-a769-4d26-b7e8-0706c636dc50",
        "name": "REPORT_MANAGEMENT_ACCEPTED vfd",
        "context": "https://vultron.example/cases/VDR-20991514",
        "published": "2024-07-09T20:17:18+00:00",
        "updated": "2024-07-09T20:17:18+00:00",
        "actor": "https://vultron.example/users/finn",
        "rmState": "REPORT_MANAGEMENT_ACCEPTED",
        "vfdState": "vfd",
        "caseEngagement": true,
        "embargoAdherence": true
      }
    ]
  }
}