Skip to content

Suggesting an Actor for a Case

This page is not normative

This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.

During the course of coordinating a case, an existing case participant might recognize that another actor should be invited to participate in the case. The following mechanisms provide a way for a case participant to suggest that another actor be invited to participate in the case.




Why Suggest instead of just Invite?

The process described here makes an assumption that there is a case owner who is responsible for coordinating the case. Participants having the case owner role can in principle just directly invite other actors to participate in the case, and they might not need the suggestion mechanism described here. However, we include this mechanism to account for the possibilities that:

  • there could be multiple case owners, and they might not all agree on who should be invited to participate in the case.
  • a non-case-owner participant might want to suggest that another actor be invited to participate in the case

Of these, the latter is the more likely scenario, but the mechanism described here can be used in either case.

Reasons to Invite other Actors

There are many reasons why a case participant might want to suggest another actor to participate in a case. The following are some examples:

  • A finder, having reported to one vendor, might further discover that the vulnerability is actually in a third-party library, and suggest inviting the library vendor to participate in the case.
  • A vendor might be a participant in (but not the owner of) a case, and wants to suggest that the case owner invite a sector-specific coordinator to participate in the case to address critical infrastructure concerns.
  • A reporter participant might suggest a technical expert (for example, a member of a protocol working group) to include in the case.
  • A coordinator might suggest to the case owner that a large deployer be invited to participat in a case to address concerns about the impact of deploying a fix for a vulnerability on infrastructure and operations.

Below is a sequence diagram showing the process of suggesting an actor for a case. We used a sequence diagram instead of a flow chart since the process is relatively simple and the sequence diagram is easier to read.

---
title: Suggesting an Actor for a Case
---
sequenceDiagram
    actor A as Participant
    participant C as Case
    actor B as Case Owner
    actor D as Actor 
    Note over A: Recognize that Actor should be invited
    A ->> C: Offer(object=Actor, target=Case)
    activate A
    C -->+ B: Observe suggestion
    alt Accept Suggestion
        B -->> C: Accept(object=Actor, target=Case, inReplyTo=Offer)
        B ->>+ D: Invite(object=Case, target=Actor)
    else Reject Suggestion
        B -->> C: Reject(object=Actor, target=Case, inReplyTo=Offer)
    end
    deactivate B
    C --> A: Observe response
    deactivate A
    note over D: Respond to invitation (not shown)
    deactivate D

Recommend Actor

An actor can recommend that another actor be invited to participate in a case by sending an Offer activity with the object property set to the actor that is being recommended. The target property of the Offer activity is set to the case object. Implementations should then prompt the case owner to accept or reject the recommendation.

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "asType": "Offer",
  "id": "https://for.example/9076ab65-f247-4ccf-b1f9-64b0dc1c649f",
  "name": "https://vultron.example/users/finn Offer https://vultron.example/organizations/coordinator to https://vultron.example/cases/VDR-20991514",
  "context": "https://vultron.example/cases/VDR-20991514",
  "content": "I'm recommending we add Coordinator LLC to the case.",
  "to": "https://vultron.example/organizations/vendor",
  "actor": "https://vultron.example/users/finn",
  "target": "https://vultron.example/cases/VDR-20991514",
  "object": "https://vultron.example/organizations/coordinator"
}

Accept Actor Recommendation

The case owner can accept the recommendation by sending an Accept activity. We show this as an actor accepting the actor object from the recommendation above, rather than accepting the Offer activity itself. Note the target property of the Accept activity is set to the case object.

This should be followed by the case owner inviting the actor to the case.

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "asType": "Accept",
  "id": "https://for.example/6ac3552b-5981-4aa0-b550-d3140c4a0188",
  "name": "https://vultron.example/organizations/vendor Accept https://vultron.example/organizations/coordinator to https://vultron.example/cases/VDR-20991514",
  "context": "https://vultron.example/cases/VDR-20991514",
  "content": "We're accepting your recommendation to add Coordinator LLC to the case. We'll reach out to them shortly.",
  "to": "https://vultron.example/users/finn",
  "actor": "https://vultron.example/organizations/vendor",
  "target": "https://vultron.example/cases/VDR-20991514",
  "object": "https://vultron.example/organizations/coordinator"
}

Reject Actor Recommendation

The case owner can reject the recommendation by sending a RejectActorRecommendation activity. The structure of this activity is similar to the Accept activity above.

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "asType": "Reject",
  "id": "https://for.example/1ff33d8f-9135-4cd5-8eff-3211e81f1782",
  "name": "https://vultron.example/organizations/vendor Reject https://vultron.example/organizations/coordinator to https://vultron.example/cases/VDR-20991514",
  "context": "https://vultron.example/cases/VDR-20991514",
  "content": "We're declining your recommendation to add Coordinator LLC to the case. Thanks anyway.",
  "to": "https://vultron.example/users/finn",
  "actor": "https://vultron.example/organizations/vendor",
  "target": "https://vultron.example/cases/VDR-20991514",
  "object": "https://vultron.example/organizations/coordinator"
}

Invite to Case

A vendor invites a coordinator to a case.

{
  "@context": "https://www.w3.org/ns/activitystreams",
  "asType": "Invite",
  "id": "https://vultron.example/cases/VDR-20991514/invitation/1",
  "name": "https://vultron.example/organizations/vendor Invite https://vultron.example/organizations/coordinator to https://vultron.example/cases/VDR-20991514",
  "content": "We're inviting you to participate in VENDOR Case #20991514.",
  "to": "https://vultron.example/organizations/coordinator",
  "actor": "https://vultron.example/organizations/vendor",
  "target": "https://vultron.example/cases/VDR-20991514",
  "object": "https://vultron.example/organizations/coordinator"
}