Managing a Case
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
Case management activities reflect the Report Management process model.
flowchart TB
subgraph RM:RECEIVED
subgraph as:Offer
RmSubmitReport
end
end
subgraph RM:VALIDATED
subgraph as:Accept
RmValidateReport
end
subgraph as:Create
CreateCase
end
end
subgraph RM:INVALID
subgraph as:Reject
RmInvalidateReport
end
end
subgraph RM:ACCEPTED
subgraph as:Join
RmEngageCase
end
end
subgraph RM:DEFERRED
subgraph as:Ignore
RmDeferCase
end
end
subgraph RM:CLOSED
subgraph as:Leave
RmCloseCase
RmCloseReport
end
end
d{Done?}
c{Close?}
p{Priority?}
v{Valid?}
start([Start])
start --> RmSubmitReport
RmSubmitReport --> v
v -->|y| RmValidateReport
v -->|n| RmInvalidateReport
RmInvalidateReport --> c
c -->|y| RmCloseReport
RmValidateReport --> CreateCase
CreateCase --> p
p -->|act| RmEngageCase
d -->|n| p
p -->|defer| RmDeferCase
RmEngageCase --> d
RmDeferCase --> d
c -->|n| v
d -->|y| RmCloseCaseSubmit Report
The finder submits a vulnerability report to the vendor.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Offer",
"id": "https://for.example/f708e144-556e-4155-a630-6c55fe522e17",
"name": "https://vultron.example/users/finn Offer FDR-8675309",
"to": "https://vultron.example/organizations/vendor",
"actor": "https://vultron.example/users/finn",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityReport",
"id": "https://vultron.example/reports/FDR-8675309",
"name": "FDR-8675309",
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"content": "I found a vulnerability!",
"attributedTo": [
"https://vultron.example/users/finn"
]
}
}
Invalidate Report
The vendor invalidates the vulnerability report, which implies that they will not be taking further action on the vulnerability. They may choose to hold the report open for a period of time before closing it in order to allow the reporter to provide additional information that could change the vendor's decision.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Reject",
"id": "https://for.example/e922f500-72e0-47a7-86b2-a56d1d0cec8b",
"name": "https://vultron.example/organizations/vendor Reject https://vultron.example/reports/FDR-8675309",
"content": "We're declining this report as invalid. If you have a reason we should reconsider, please let us know. Otherwise we'll be closing it shortly.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/reports/FDR-8675309"
}
Validate Report
The vendor validates the vulnerability report, which implies that they will shortly create a case to track the vulnerability response.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Accept",
"id": "https://for.example/17e70d0c-07e6-47a5-bbd7-ec2d3446e342",
"name": "https://vultron.example/organizations/vendor Accept https://vultron.example/reports/FDR-8675309",
"content": "We've validated the report. We'll be creating a case shortly.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/reports/FDR-8675309"
}
Create Case
A vendor creates a case in response to a vulnerability report. Here we show a case creation including a single participant and a pointer to a report. In practice, a case may have multiple participants and (less often) multiple reports. See also Initializing a Case.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Create",
"id": "https://for.example/4232d8e5-2a7d-4d88-abc1-1de6abfa551a",
"name": "https://vultron.example/organizations/vendor Create VENDOR Case #20991514",
"context": "https://vultron.example/reports/FDR-8675309",
"content": "We've created a case from this report.",
"actor": "https://vultron.example/organizations/vendor",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityCase",
"id": "https://vultron.example/cases/VDR-20991514",
"name": "VENDOR Case #20991514",
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"caseParticipants": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseParticipant",
"id": "https://for.example/32a2ab0a-d325-47bd-97a0-95bdb37452fc",
"name": "VendorCo",
"context": null,
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"actor": "https://vultron.example/organizations/vendor",
"caseRoles": [
"VENDOR"
],
"participantStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "ParticipantStatus",
"id": "https://for.example/35c7cdda-23b9-44fa-90f4-55c032e15b5e",
"name": "REPORT_MANAGEMENT_START vfd",
"context": null,
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"actor": "https://vultron.example/organizations/vendor",
"rmState": "REPORT_MANAGEMENT_START",
"vfdState": "vfd",
"caseEngagement": true,
"embargoAdherence": true
}
]
}
],
"vulnerabilityReports": [
"https://vultron.example/reports/FDR-8675309"
],
"caseStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseStatus",
"id": "https://for.example/f3f4f0c3-2507-42d4-a67c-77072948a9bb",
"name": "EMBARGO_MANAGEMENT_NONE pxa",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"emState": "EMBARGO_MANAGEMENT_NONE",
"pxaState": "pxa"
}
],
"activeEmbargo": null
}
}
Defer Case
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Ignore",
"id": "https://for.example/7610bf02-ffa4-4784-8c54-0e516cbf7959",
"name": "https://vultron.example/organizations/vendor Ignore https://vultron.example/cases/VDR-20991514",
"content": "We're deferring this case.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/cases/VDR-20991514"
}
Engage Case
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Join",
"id": "https://for.example/7cec168e-18c4-4105-b419-c0810ee8cf5b",
"name": "https://vultron.example/organizations/vendor Join https://vultron.example/cases/VDR-20991514",
"content": "We're engaging this case.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/cases/VDR-20991514"
}
Re-Engaging a Case
The RmReEngageCase activity is used to re-engage a case that has been
deferred. Deferring a case is modeled as an as:Ignore
activity, since it is indicating that a participant has not entirely left
the case, but has instead deferred their participation for a period of
time. Re-engaging a case is modeled as an as:Undo activity, since it is
undoing the as:Ignore activity that was used to defer the case.
Alternatively, we could have just used the same RmEngageCase (as:Join)
activity. That might still be a better option, but we'll leave it as an
implementation choice for now.
Close Case
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Leave",
"id": "https://for.example/1cc0f497-ef84-4b28-a5c8-c4f8fae03ae6",
"name": "https://vultron.example/organizations/vendor Leave https://vultron.example/cases/VDR-20991514",
"content": "We're closing this case.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/cases/VDR-20991514"
}
Close Report
The vendor closes an invalid vulnerability report, which implies that they will not be taking further action on the vulnerability.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Leave",
"id": "https://for.example/c6058067-a9e8-4b33-9e7b-1db4d6c2c42b",
"name": "https://vultron.example/organizations/vendor Leave https://vultron.example/reports/FDR-8675309",
"content": "We're closing this report.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/reports/FDR-8675309"
}
Close Case vs Close Report
Closing a report is only relevant when the report is not valid, because
valid reports should be converted to cases. Hence, we define the
RmCloseReport activity as a an option for when a report is invalidated
before a case is created. Both RmCloseReport and RmCloseCase are
defined as subclasses of as:Leave to indicate that they are both
activities that indicate that the actor's participation in the case or
report has ended.