Transferring Case Ownership
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
Transfer if case ownership was not part of the original Vultron protocol, but it seems like a reasonable extension that could be useful in some cases, such as transferring a case
- from a researcher to a vendor
- from a vendor to an upstream vendor
- from a vendor to a coordinator
- from a coordinator to a vendor
- between coordinators
The presumption here is that the initial creator of a case is its owner. Subsequent to that, the existing owner can offer to transfer ownership to another participant. The new owner can then accept or reject the offer.
We use a sequence diagram instead of a flow chart since the process is relatively simple and the sequence diagram is easier to read.
sequenceDiagram
actor A as Current Case Owner
actor B as Potential Case Owner
participant C as Case
A ->> B: Offer(object=Case)
note over B: Consider offer
activate B
alt Accept Offer
B -->> A: Accept(object=Case, inReplyTo=Offer)
A ->> C: Update(object=Case)
note over C: Case has new owner
else Reject Offer
B -->> A: Reject(object=Case, inReplyTo=Offer)
note over C: Case ownership unchanged
end
deactivate BOffer Case Ownership Transfer
The current owner of a case can offer to transfer ownership of the case to another participant.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Offer",
"id": "https://for.example/2d7997d2-2db0-4ed1-9090-5602ae47f783",
"name": "https://vultron.example/organizations/vendor Offer VENDOR Case #20991514 to https://vultron.example/organizations/coordinator",
"content": "We're offering to transfer ownership of case VENDOR Case #20991514 to you.",
"actor": "https://vultron.example/organizations/vendor",
"target": "https://vultron.example/organizations/coordinator",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityCase",
"id": "https://vultron.example/cases/VDR-20991514",
"name": "VENDOR Case #20991514",
"published": "2024-07-09T20:17:20+00:00",
"updated": "2024-07-09T20:17:20+00:00",
"caseStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseStatus",
"id": "https://for.example/a6f1b91a-9471-49a9-b789-6e474b820149",
"name": "EMBARGO_MANAGEMENT_NONE pxa",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:20+00:00",
"updated": "2024-07-09T20:17:20+00:00",
"emState": "EMBARGO_MANAGEMENT_NONE",
"pxaState": "pxa"
}
],
"activeEmbargo": null
}
}
Accept Case Ownership Transfer
The new owner of a case can accept an offer to transfer ownership of the case to them.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Accept",
"id": "https://for.example/1b64b9f8-d099-4764-a062-503d30b013a7",
"name": "https://vultron.example/organizations/coordinator Accept VENDOR Case #20991514 from https://vultron.example/organizations/vendor",
"inReplyTo": null,
"content": "We're accepting your offer to transfer ownership of case VENDOR Case #20991514 to us.",
"actor": "https://vultron.example/organizations/coordinator",
"origin": "https://vultron.example/organizations/vendor",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityCase",
"id": "https://vultron.example/cases/VDR-20991514",
"name": "VENDOR Case #20991514",
"published": "2024-07-09T20:17:20+00:00",
"updated": "2024-07-09T20:17:20+00:00",
"caseStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseStatus",
"id": "https://for.example/25c49b01-98bf-41bd-a244-d8c8e386c2e8",
"name": "EMBARGO_MANAGEMENT_NONE pxa",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:20+00:00",
"updated": "2024-07-09T20:17:20+00:00",
"emState": "EMBARGO_MANAGEMENT_NONE",
"pxaState": "pxa"
}
],
"activeEmbargo": null
}
}
Reject Case Ownership Transfer
The proposed new owner of a case can reject an offer to transfer ownership of the case to them. In this case, the case ownership transfer is cancelled, and the case ownership remains with the original owner.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Reject",
"id": "https://for.example/6392ae54-924a-4d01-9cd0-c85e0e864e57",
"name": "https://vultron.example/organizations/coordinator Reject VENDOR Case #20991514 from https://vultron.example/organizations/vendor",
"inReplyTo": null,
"content": "We're declining your offer to transfer ownership of case VENDOR Case #20991514 to us.",
"actor": "https://vultron.example/organizations/coordinator",
"origin": "https://vultron.example/organizations/vendor",
"object": {
"@context": "https://www.w3.org/ns/activitystreams",
"type": "VulnerabilityCase",
"id": "https://vultron.example/cases/VDR-20991514",
"name": "VENDOR Case #20991514",
"published": "2024-07-09T20:17:20+00:00",
"updated": "2024-07-09T20:17:20+00:00",
"caseStatus": [
{
"@context": "https://www.w3.org/ns/activitystreams",
"type": "CaseStatus",
"id": "https://for.example/ca761c2d-d6b2-4746-a29e-df1d89b68d07",
"name": "EMBARGO_MANAGEMENT_NONE pxa",
"context": "https://vultron.example/cases/VDR-20991514",
"published": "2024-07-09T20:17:20+00:00",
"updated": "2024-07-09T20:17:20+00:00",
"emState": "EMBARGO_MANAGEMENT_NONE",
"pxaState": "pxa"
}
],
"activeEmbargo": null
}
}
Update Case
The case object is updated to reflect the new owner of the case.
{
"@context": "https://www.w3.org/ns/activitystreams",
"asType": "Update",
"id": "https://for.example/bf4e4659-ee55-485e-bc20-c542c32d6fe8",
"name": "https://vultron.example/organizations/vendor Update https://vultron.example/cases/VDR-20991514",
"content": "We're updating the case to reflect a transfer of ownership.",
"actor": "https://vultron.example/organizations/vendor",
"object": "https://vultron.example/cases/VDR-20991514"
}