Reporting a Vulnerability
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
The following task flow diagram addresses the opening portion of the Report Management process in which a finder creates a vulnerability report and submits it to a vendor. The vendor then reads the report and either accepts or rejects it. If the vendor accepts the report, they create a case for it. If the vendor rejects the report, they eventually close it unless there's a reason to reconsider and validate it.
flowchart TB
subgraph as:Create
RmCreateReport
CreateCase
end
subgraph as:Read
RmReadReport
end
subgraph as:Offer
RmSubmitReport
end
subgraph as:Accept
RmValidateReport
end
subgraph as:Reject
RmInvalidateReport
end
subgraph as:Leave
RmCloseReport
end
start([Start])
start -.-> RmCreateReport
start --> RmSubmitReport
RmCreateReport --> RmSubmitReport
RmSubmitReport -.-> v{Valid?}
RmSubmitReport --> r{Read?}
r -->|y| RmReadReport
r -->|n| r
v -->|y| RmValidateReport
RmReadReport --> v
v -->|n| RmInvalidateReport
RmInvalidateReport --> c{Close?}
c -->|y| RmCloseReport
c -->|n| v
RmValidateReport --> CreateCaseCreate Report
A finder creates a vulnerability report.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Create",
"id": "https://for.example/9764a426-16c2-4f81-bb9f-6a83702176d7",
"name": "https://vultron.example/users/finn Create FDR-8675309",
"actor": "https://vultron.example/users/finn",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityReport",
"id": "https://vultron.example/reports/FDR-8675309",
"name": "FDR-8675309",
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"content": "I found a vulnerability!",
"attributedTo": [
"https://vultron.example/users/finn"
]
}
}
Create to... vs Create + Offer to... ?
It's not always necessary for the Create activity to be distinct from the Offer.
Creating a report to a vendor or coordinator could be equivalent to offering the report to the vendor.
However, it's also possible that a report has already been created as part of a different
process (perhaps involving other actors), and the Offer activity is used to offer the
existing report to the vendor or coordinator. Therefore we show both options here.
Submit Report
The finder submits a vulnerability report to the vendor.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Offer",
"id": "https://for.example/0f15388d-a8f9-4cb4-95da-5eb595d9bc3c",
"name": "https://vultron.example/users/finn Offer FDR-8675309",
"to": "https://vultron.example/organizations/vendor",
"actor": "https://vultron.example/users/finn",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityReport",
"id": "https://vultron.example/reports/FDR-8675309",
"name": "FDR-8675309",
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"content": "I found a vulnerability!",
"attributedTo": [
"https://vultron.example/users/finn"
]
}
}
Report submission might be followed by either a Read or Accept activity.
The Read activity is optional and should be used when the vendor wants to
acknowledge that they have received the report without accepting or rejecting
it. The Accept activity is used when the vendor wants to accept the report
and create a case for it.
Read Report
The vendor reads the vulnerability report, acknowledging that they have received it.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Read",
"id": "https://for.example/6cc67240-68f4-49b6-9bca-e4d21009d31e",
"name": "https://vultron.example/organizations/vendor Read https://vultron.example/reports/FDR-8675309",
"content": "We've read the report. We'll get back to you soon.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/reports/FDR-8675309"
}
Validate Report
The vendor validates the vulnerability report, which implies that they will shortly create a case to track the vulnerability response.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Accept",
"id": "https://for.example/d41e599c-0ab2-439a-89aa-1c179cbce9b7",
"name": "https://vultron.example/organizations/vendor Accept https://vultron.example/reports/FDR-8675309",
"content": "We've validated the report. We'll be creating a case shortly.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/reports/FDR-8675309"
}
Create Case
A vendor creates a case in response to a vulnerability report. Here we show a case creation including a single participant and a pointer to a report. In practice, a case may have multiple participants and (less often) multiple reports. See also Initializing a Case.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Create",
"id": "https://for.example/72a681b7-ad28-43bc-8cf4-1ba23db1bc0d",
"name": "https://vultron.example/organizations/vendor Create VENDOR Case #20991514",
"context": "https://vultron.example/reports/FDR-8675309",
"content": "We've created a case from this report.",
"actor": "https://vultron.example/organizations/vendor",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityCase",
"id": "https://vultron.example/cases/VDR-20991514",
"name": "VENDOR Case #20991514",
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"caseParticipants": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseParticipant",
"id": "https://for.example/3ee21535-0697-4a44-ab02-b1691f170470",
"name": "VendorCo",
"context": null,
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"actor": "https://vultron.example/organizations/vendor",
"caseRoles": [
"VENDOR"
],
"participantStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "ParticipantStatus",
"id": "https://for.example/f196759f-823c-4c1c-9c27-a895a3e0a003",
"name": "REPORT_MANAGEMENT_START vfd",
"context": null,
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"actor": "https://vultron.example/organizations/vendor",
"rmState": "REPORT_MANAGEMENT_START",
"vfdState": "vfd",
"caseEngagement": true,
"embargoAdherence": true
}
]
}
],
"vulnerabilityReports": [
"https://vultron.example/reports/FDR-8675309"
],
"caseStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseStatus",
"id": "https://for.example/ac4b6b81-baac-405d-ac4f-07f44fb78fb5",
"name": "EMBARGO_MANAGEMENT_NONE pxa",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:19+00:00",
"updated": "2024-07-09T20:17:19+00:00",
"emState": "EMBARGO_MANAGEMENT_NONE",
"pxaState": "pxa"
}
],
"activeEmbargo": null
}
}
Invalidate Report
The vendor invalidates the vulnerability report, which implies that they will not be taking further action on the vulnerability. They may choose to hold the report open for a period of time before closing it in order to allow the reporter to provide additional information that could change the vendor's decision.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Reject",
"id": "https://for.example/1022c011-da7a-4d68-987a-2d48b01f71e8",
"name": "https://vultron.example/organizations/vendor Reject https://vultron.example/reports/FDR-8675309",
"content": "We're declining this report as invalid. If you have a reason we should reconsider, please let us know. Otherwise we'll be closing it shortly.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/reports/FDR-8675309"
}
Close Report
The vendor closes an invalid vulnerability report, which implies that they will not be taking further action on the vulnerability.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Leave",
"id": "https://for.example/6b554e6a-8a50-48ee-8a40-713f93c6c9da",
"name": "https://vultron.example/organizations/vendor Leave https://vultron.example/reports/FDR-8675309",
"content": "We're closing this report.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/reports/FDR-8675309"
}