ISO/IEC 29147:2018 Crosswalk
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
ISO/IEC 29147:2018 Information technology — Security techniques — Vulnerability disclosure also overlaps with the Vultron Protocol.
Perhaps unsurprisingly, clauses 5 through 9 of ISO/IEC 29147:2018 overlap significantly with the Vultron Protocol.
Consistent Terminology
Our use of the following terms is consistent with ISO/IEC 29147:2018 §5.4 Systems, components, and services: Systems, Components, Products, Services, Vulnerability, and Product interdependency.
ISO/IEC 29147:2018 §5.5 Stakeholder Roles includes User, Vendor, Reporter, and Coordinator. We generally use Deployer instead of User, but the rest are consistent.
See the table below for a thorough cross-reference.
| ISO/IEC 29147:2018 Clause |
Sub-Clause | Vultron Protocol Mapping |
|---|---|---|
| 5.6 Vulnerability Handling Process Summary | 5.6.1 General 5.6.2 Preparation 5.6.3 Receipt 5.6.4 Verification 5.6.5 Remediation development 5.6.6 Release 5.6.7 Post-release |
The first few subsections of ISO/IEC 29147:2018 §5.6 are recapitulated in ISO/IEC 30111:2019. Accordingly, see the corresponding rows on that page |
| 5.6.8 Embargo period | EM Discussion | |
| 5.7 Information exchange during vulnerability disclosure | send-report-to | Message Types Reporting Behavior \(q^{rm} \in A + RS\) sender \(q^{rm} \in S \xrightarrow{r} R + RS\) receiver |
| release-advisory-to | Message Types Prepare Publication Behavior \(q^{rm} \in A + GI\) sender \(q^{rm} \in \{R,V,A,D\} + GI\) receiver |
|
| 5.8 Confidentiality | Embargo Management Model Transport Protocol |
|
| 5.9 Vulnerability advisories | the Public Awareness substate Publication Behavior |
|
| 5.10 Vulnerability exploitation | the Exploit Public substate the Attacks Observed substate Monitor Threats Behavior |
|
| 5.11 Vulnerabilities and risk | Interactions between the Vultron Protocol and SSVC | |
| 6 Receiving vulnerability reports | 6.1 General | the Report Management Model the Vendor Awareness substate Process RM Messages Behavior |
| 6.2 Vulnerability reports | 6.2.1 General | the Report Management Model Reporting Behavior |
| 6.2.2 Capability to receive reports | the Received state Process RM Messages Behavior |
|
| 6.2.3 Monitoring | Receiving and Processing Messages Behavior | |
| 6.2.4 Report Tracking | the Report Management Model Reporting Behavior Case Object |
|
| 6.2.5 Report Acknowledgement | RM Message Types Process RM Messages Behavior |
|
| 6.3 Initial assessment | RM Message Types Report Prioritization Behavior |
|
| 6.4 Further investigation | RM Message Types Do Work Behavior |
|
| 6.5 On-going communication | Message Types | |
| 6.6 Coordinator involvement | - | RM Interactions Between CVD Participants Inviting Others to and Embargoed Case Coordination with a Coordinator Notify Others Behavior |
| 6.7 Operational security | - | Transport Protocol |
| 7 Publishing vulnerability advisories | all | Publication Behavior CVD Case Substates |
| 7.3 Advisory publication timing | Embargo Principles | |
| 7.4 Advisory elements | Message Formats | |
| 7.5 Advisory communication | Publication Behavior | |
| 7.6 Advisory format | Message Formats | |
| 7.7 Advisory authenticity | Identity Management | |
| 7.8 Remediations | Deployment Behavior | |
| 8 Coordination | 8.1 General | the Received state the Accepted state RM Interactions Between CVD Participants Inviting Others to an Embargoed Case Modeling an MPCVD AI Using Behavior Trees |
| 8.2 Vendors playing multiple roles | the Received state the Accepted state the Fix Readiness Substate Reporting Behavior |
|
| 9 Vulnerability disclosure policy | 9.2.2 Preferred contact mechanism | Receiving and Processing Messages Behavior |
| 9.3.2 Vulnerability report contents | Case Object | |
| 9.3.3 Secure communication options | Transport Protocol | |
| 9.3.4 Setting communication expectations | Default Embargoes Transition Functions Report Management Behavior Tree |
|
| 9.3.6 Publication | Publication Behavior | |
| 9.4.3 Disclosure timeline | Embargo Management Model |