ISO/IEC TR 5895:2022 Crosswalk
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
ISO/IEC TR 5895:2022 Cybersecurity — Multi-party coordinated vulnerability disclosure and handling intersects most directly with our topic.
The table below contains our mapping of relevant sections of that technical report to our protocol model.
| ISO/IEC TR 5895:2022 Clause | Sub-Clause | Vultron Protocol Model |
|---|---|---|
| 4 Concepts | 4.2.3 Risk Reduction Effectiveness | Early Termination Adding Participants to an Embargoed Case |
| 5 MPCVD Scenarios in Scope | all | Adding Participants to an Embargoed Case |
| 6 MPCVD Stakeholders | all | Terms and Definitions |
| 7 MPCVD Lifecycle | 7.2 Policy Development | the Report Management Model the Received state Default Embargoes CVD Directory |
| 7.3 Strategy development | RM Interactions between CVD Participants EM Discussion |
|
| 7.4 Know your customers | RM Interactions between CVD Participants Adding Participants to an Embargoed Case |
|
| 7.5 Encrypted Communication Methods and Conference Calls | Transport Protocol | |
| 7.6 Processes and Controls | See NDA Note in Embargo Management Model | |
| 8 MPCVD lifecycle for each product | all | Deployment Behavior Fix Development Behavior Reporting Behavior Publication Behavior \(q^{rm} \in A\) |
| 9 MPCVD lifecycle for each vulnerability | 9.1 Receipt | the Start state the Received state the Vendor Awareness substate Process RM Messages Behavior Reporting Behavior \(q^{rm} \in S \xrightarrow{r} R\) \(q^{cs} \in vfd\cdot\cdot\cdot \xrightarrow{\mathbf{V}} Vfd\cdot\cdot\cdot\) |
| 9.2 Verification | the Received state the Valid state the Valid state Embargo Principles Report Validation Behavior Report Prioritization Behavior Reporting Behavior \(q^{rm} \in R \xrightarrow{v} V\) (valid) \(q^{rm} \in R \xrightarrow{i} I\) (invalid) Emit RV. RI, RA, RD as appropriate |
|
| 9.3 Remediation development | the Accepted state the Fix Readiness substate Fix Ready Fix Development Behavior \(q^{rm} \in A\) \(q^{cs} \in Vfd\cdot\cdot\cdot \xrightarrow{\mathbf{F}}VFd\cdot\cdot\cdot\) |
|
| 9.4 Release | the Fix Readiness substate Publication Behavior \(q^{cs} \in VFdp\cdot\cdot \xrightarrow{\mathbf{P}} VFDP\cdot\cdot\) |
|
| 9.5 Post-release | Report Closure Behavior Deployment Behavior \(q^{rm} \in \{A,D\}\) \(q^{cs} \in VF\cdot P \cdot\cdot\) |
|
| 9.6 Embargo Period | RM Interactions between CVD Participants EM Discussion Interactions Between the RM and EM Models \(q^{em} \not \in X\) |
|
| 10 Information exchange | - | RM Interactions between CVD Participants Message Types Reporting Behavior |
| 11 Disclosure | - | Adding Participants to an Embargoed Case Coordination with a Coordinator Publication Behavior |
| 12 Use case for hardware and further considerations | - | Adding Participants to an Embargoed Case Interactions Between the RM and EM Models Reporting Behavior |