ISO/IEC 30111:2019 Crosswalk
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
Clause 7 of ISO/IEC 30111:2019 Information technology — Security techniques — Vulnerability handling processes closely relates to the Vultron Protocol.
The table below provides a mapping of ISO/IEC 30111:2019 onto the relevant concepts and sections of this documentation.
| ISO/IEC 30111:2019 Clause |
Sub-Clause | Vultron Protocol Mapping |
|---|---|---|
| 7.1.1 General | - | See details below |
| 7.1.2 Preparation | - | See details below |
| 7.1.3 Receipt | a) Internally Found Vulnerabilities | the Received state RM Message Types Vulnerability Discovery Behavior \(q^{rm} \in S \xrightarrow{r} R\) |
| b) Externally Found Vulnerabilities | the Received state RM Message Types Process RM Messages Behavior \(q^{rm} \in S \xrightarrow{r} R\) |
|
| c) Publicly Disclosed Vulnerabilities | the Received state RM Message Types CS Message Types Monitor Threats Behavior Process RM Messages Behavior Process CS Messages Behavior \(q^{rm} \in S \xrightarrow{r} R\) \(q^{cs} \in \cdot\cdot\cdot p \cdot\cdot \xrightarrow{\mathbf{P}} \cdot\cdot\cdot P \cdot\cdot\) |
|
| 7.1.4 Verification | a) Initial Investigation | the Received state Report Validation Behavior \(q^{rm} \in R \xrightarrow{v} V\) if valid\(q^{rm} \in R \xrightarrow{i} I\) if invalid |
| b) Possible Process Exit 1) Duplicate |
attach to the original report | |
| b) Possible Process Exit 2) Obsolete product |
\(q^{rm} \in I \xrightarrow{c} C\) if invalid \(q^{rm} \in V \xrightarrow{d} D \xrightarrow{c} C\) if valid |
|
| b) Possible Process Exit 3) Non-security |
\(q^{rm} \in I \xrightarrow{c} C\) | |
| b) Possible Process Exit 4) Other vendor |
Reporting Behavior \(q^{rm} \in V \xrightarrow{a} A\) |
|
| c) Root Cause Analysis | Do Work Behavior \(q^{rm} \in A\) |
|
| d) Further investigation | Do Work Behavior \(q^{rm} \in A\) |
|
| e) Prioritization | the Valid state Report Prioritization Behavior \(q^{rm} \in V \xrightarrow{d} D\) on defer \(q^{rm} \in V \xrightarrow{a} A\) on accept |
|
| f) Inform reporter | Report Validation Behavior Report Prioritization Behavior Emit RV, RI, RA, RD messages as appropriate |
|
| 7.1.5 Remediation Development | all | the Accepted state the Fix Readiness substate Fix Ready Fix Development Behavior \(q^{rm} \in A\) \(q^{cs} \in Vfd\cdot\cdot\cdot \xrightarrow{\mathbf{V}} VFd\cdot\cdot\cdot\) |
| 7.1.6 Release | - | the Fix Readiness substate Publication Behavior \(q^{cs} \in VFdp\cdot\cdot \xrightarrow{\mathbf{P}} VFdP \cdot\cdot\) |
| 7.1.7 Post-release | all | Report Closure Behavior Deployment Behavior \(q^{cs} \in VF\cdot P \cdot\cdot\) \(q^{rm} \in \{A,D\}\) |
| 7.2 Process Monitoring | all | Deployment Behavior |
| 7.3 Confidentiality | - | Embargo Management Behavior |
| 8 Supply chain considerations | - | Reporting Behavior |