Acquire Exploit Behavior
Some Vendors or other CVD Participants might require a proof-of-concept exploit to accompany an incoming report for it to pass their validation checks. To that end, an Acquire Exploit Behavior Tree is shown below.
---
title: Acquire Exploit Behavior Tree
---
flowchart LR
fb["?"]
have_exploit(["have exploit?"])
fb --> have_exploit
seq["→"]
fb --> seq
fb2["?"]
seq --> fb2
exp_priority(["exploit priority<br/>set?"])
fb2 --> exp_priority
eval_priority["evaluate<br/>priority"]
fb2 --> eval_priority
exp_desired(["exploit desired?"])
seq --> exp_desired
fb3["?"]
seq --> fb3
find_exploit["find exploit"]
fb3 --> find_exploit
dev_exploit["develop exploit"]
fb3 --> dev_exploit
pay_exploit["purchase exploit"]
fb3 --> pay_exploitThe goal of this behavior is for the Participant to be in possession of an exploit.
If the Participant does not already have one, the main acquisition sequence is triggered. The sequence begins by ensuring that the exploit acquisition activity has sufficient priority to continue. If it does, the Participant has one of three options to choose from: they can find one somewhere else, develop it themselves, or pay someone for the privilege.
The overall behavior returns Success when either an exploit is acquired or when one is not desired and is therefore deferred. It can fail in the scenario where an exploit is desired but not acquired.