CVD Case State Model
This page is normative
This page is considered a core part of the Vultron Protocol. This is a normative section of the documentation.
Here we complete the definition of the CVD Case State (CS) model begun in the previous page. As a reminder, this model provides a high-level view of the state of a CVD case and is derived from A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure.
DFA Notation Defined
A Deterministic Finite Automaton is defined as a 5-tuple \((\mathcal{Q},q_0,\mathcal{F},\Sigma,\delta)\) where
- \(\mathcal{Q}\) is a finite set of states.
- \(q_0 \in \mathcal{Q}\) is an initial state.
- \(\mathcal{F} \subseteq \mathcal{Q}\) is a set of final (or accepting) states.
- \(\Sigma\) is a finite set of input symbols.
- \(\delta\) is a transition function of the form \(\delta: \mathcal{Q} \times \Sigma \xrightarrow{} \mathcal{Q}\).
As in the RM and EM process models, we wish to define a 5-tuple \((\mathcal{Q},\Sigma,\delta,q_0,F)\), this time for the CS model.
Example CS State
The state \(q^{cs} \in VFdpXa\) represents that:
- the Vendor is aware
- the fix is ready
- the fix is not deployed
- no public awareness
- an exploit is public
- no attacks have been observed
In the CS model, a state \(q^{cs}\) represents the status of each of the six substates. State labels use the substate notation given in the table below.
The order in which the events occurred does not matter when defining the state. However, we will observe a notation convention keeping the letter names in the same case-insensitive order \((v,f,d,p,x,a)\).
The CS model builds upon the CVD substates defined in the Case State introduction, summarized in the table below.
CVD Case Substates Defined
Lowercase letters designate events that have not occurred, while uppercase letters designate events that have occurred in a particular state.
Substate | Notation | Meaning | Notation | Meaning |
---|---|---|---|---|
Vendor Awareness | v | Vendor is not aware of the report | V | Vendor is aware of the report |
Fix Readiness | f | Fix is not ready | F | Fix is ready |
Fix Deployment | d | Fix is not deployed | D | Fix is deployed |
Public Awareness | p | Public is not aware of the report | P | Public is aware of the report |
Exploit Public | x | Exploit is not public | X | Exploit is public |
Attacks Observed | a | Attacks are not observed | A | Attacks are observed |
Vendor Fix Path Formalism
CS states can be any combination of statuses, provided that a number of caveats elaborated in CS Transitions are met. One such caveat worth noting here is that valid states must follow what we call the Vendor fix path.
The reason is causal: For a fix to be deployed (D), it must have been ready (F) for deployment. And for it to be ready, the Vendor must have already known (V) about the vulnerability. As a result, valid states must begin with one of the following strings: vfd, Vfd, VFd, or VFD.
See also
See ยง2.4 of A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure for an expanded explanation of the Vendor fix path.
---
title: Vendor Fix Path
---
stateDiagram-v2
vfd : Vendor is unaware (vfd)
Vfd : Vendor is aware (Vfd)
VFd : Vendor is aware and fix is ready (VFd)
VFD : Vendor is aware and fix is deployed (VFD)
vfd --> Vfd : vendor becomes aware
Vfd --> VFd : fix is ready
VFd --> VFD : fix is deployed
The CS model is thus composed of 32 possible states, which we define as \(\mathcal{Q}^{cs}\).
CS Model States (\(\mathcal{Q}^{cs}\)) Defined
CS Model Start and End States (\(q^{cs}_0\) and \(\mathcal{F}^{cs}\)) Defined
CS Start and End States
All vulnerability cases start in the base state vfdpxa in which no events have occurred.
The lone final state in which all events have occurred is VFDPXA.
The Map is not the Territory
Note that this is a place where our model of the vulnerability lifecycle diverges from what we expect to observe in CVD cases in the real world. There is ample evidence that most vulnerabilities never have exploits published or attacks observed. See for example:
Therefore, practically speaking, we might expect vulnerabilities to wind up in one of
at the time a report is closed (i.e., when \(q^{rm} \xrightarrow{c} C\)). In fact, most count a CVD as successful when reports are closed in \(q^{cs} \in VFDPxa\) because it means that the defenders won the race against adversaries. The distinction between the RM and CS processes is important; Participants can close cases whenever their RM process dictates, independent of the CS state. In other words, it remains possible for exploits to be published or attacks to be observed long after the RM process has closed a case.
We frequently need to refer to subsets of \(\mathcal{Q}^{cs}\). To do so, we will use a dot (\(\cdot\)) to represent a single character wildcard.
CS Model Wildcard Notation Example
For example, \(VFdP \cdot \cdot\) refers to the subset of \(\mathcal{Q}^{cs}\) in which the Vendor is aware, a fix is ready but not yet deployed, and the public is aware of the vulnerability, yet we are indifferent to whether exploit code has been made public or attacks have been observed. Specifically,