User Stories
This page is not normative
This page is not considered a core part of the Vultron Protocol as proposed in the main documentation. Although within the page we might provide guidance in terms of SHOULD, MUST, etc., the content here is not normative.
The Vultron Protocol is designed to support a variety of use cases. The following user stories are intended to capture the requirements of these use cases. While the protocol is designed to support these use cases, it is not required that all use cases be supported by the protocol.
Where appropriate, we intend to provide a reference implementation for each applicable user story.
Original User Stories from 2022 CERT/CC Whitepaper
Stories numbered from 2022_001 through 2022_102 originated in
the Coordinated Vulnerability Disclosure User Stories
whitepaper.
These user stories reflect internal discussions with the CERT/Coordination Center (CC) based on our own experiences in developing and using the VINCE platform as well as our ongoing CVD practices. The user stories are expected to be utilized by the CVD team to better understand, create, and implement a CVD Protocol. In addition, the CERT/CC believes that these user cases will be useful for any enterprise designing or implementing its own CVD policies, processes, and procedures.
The remaining stories have been added since that whitepaper was published.
Support Levels
Each story page indicates a categorization according to the level of support provided by the originally published Vultron Protocol (version 0.4.0):
- Provided - Stories in this category are directly supported by the Vultron Protocol v0.4.0.
- Allowed - Stories in this category are indirectly supported by the Vultron Protocol v0.4.0.
- Unsupported - Stories in this category are not supported by the Vultron Protocol v0.4.0.
- Out-of-scope - Stories in this category are out of scope for the Vultron Protocol v0.4.0.
In the future, we expect these categories will change toward simply Supported, Unsupported and Out-of-scope. We also anticipate that as we learn more about ActivityPub and make progress on the protocol development, some of the stories in the Unsupported category could move to Supported.
User Stories Table
Legend
- - Allowed
- - Provided
- - Unsupported
- - Out-of-scope
| ID | Title | Status |
|---|---|---|
| 2022_001 | As a Finder I want to discover how to report a vulnerability so that I can notify the affected vendors and start CVD | |
| 2022_002 | As a Participant I want to receive vulnerability reports that I have submitted through a platform so that I can participate and track coordination efforts | |
| 2022_003 | As a Participant I want to Discover others' policies | |
| 2022_004 | As a Participant I want to parse/evaluate others' policies | |
| 2022_005 | As a Participant I want to optimize all of the policies involved | |
| 2022_006 | As a Participant I want to decide if I will/can engage | |
| 2022_007 | As a Participant I want to throw a flag if policy trouble detected | |
| 2022_008 | As a Participant I want to warn Participants and need to invoke other channels/humans. | |
| 2022_009 | As a Participant I want to want to post/publish/advertise my policy | |
| 2022_010 | As a Participant I want to Publish/share/advertise embargo dates, have hard and absolute limits, have a default/starting point, be able to extend, and propose and accept, stop when all accepts • have a default/starting point • be able to extend • propose and accept • stop when all accepts | |
| 2022_011 | As a Participant, I want to provide information about my bug bounty program to entice reporters to use it | |
| 2022_012 | As a Participant, I want to report a (new) vulnerability | |
| 2022_013 | As a Participant I want to Add a Participant? (de-duplicate) | |
| 2022_014 | As a Participant, I want to negotiate embargo/disclosure schedules, modify/renegotiate them, and know when others have published | |
| 2022_015 | As a Participant, I want to notify others of my intent (date) to publish | |
| 2022_016 | As a Participant, I want limited/ACK of vulnerability/and have full/proper advisory | |
| 2022_017 | As a Participant, I want to share my draft publication with others | |
| 2022_018 | As a Participant, I become aware of the existence of of public exploit (e.g. PoC) and want to tell others | |
| 2022_019 | As a Participant, I become aware of exploitation in the wild and want to tell others | |
| 2022_020 | As a Participant, I want to publish a vulnerability (external to protocol) | |
| 2022_021 | As a Participant, I want to advertise the locale (language, location, geo-scope, area of authority), aspects of my policy | |
| 2022_022 | As a Participant, I want to advertise the scope (e.g., products, version ranges, sites/domains) of my CVD capability | |
| 2022_023 | As a Participant, I want to constrain whom I communicate with because I want to enforce an embargo and communicate only with those who have a need to know. | |
| 2022_024 | As a Finder/Reporter, I want to constrain whom I communicate with because I want to maintain my anonymity. | |
| 2022_025 | As a Vendor/Deployer, I want to constrain whom I communicate with until a patch or mitigation has been published and released. | |
| 2022_026 | As a Coordinator, I want to constrain whom I communicate with to work within an embargo and communicate only with those who have a need to know. | |
| 2022_027 | As a Participant, I want to Address Participants constraints, e.g., entity lists | |
| 2022_028 | As a vendor or coordinator, I want others to find my information and reporting intake (duplicate of X) | |
| 2022_029 | As a Vendor, Deployer, and Other, I want to assign my own ID to a case | |
| 2022_030 | As a Participant , I want to discover and use/map to a global/shared case ID (Might just be a GUID assigned at first notification, CVE is a partial example, vxref) | |
| 2022_031 | As a Finder, Reporter, Vendor, Coordinator, Other, I want to get from another Participant a list of cases I am involved in with them | |
| 2022_032 | As a Reporter, Vendor, Coordinator, Other, I want to ask Participant A if Participant D is in a case. Operator may decide/policy, may be based on whether C and D are in the same case. "A" may or may not answer, that is their policy. Participant may decide/policy, may be based on whether C and D are in the same case. | |
| 2022_033 | As a Finder, Reporter, Vendor, Coordinator, Other, I want to request/state that I do not want others to know I am in a case. Participant still gets to decide their policy. Covers researcher asking for anonymity. Vendor can ask not to be listed and operator can disagree/still list. | |
| 2022_034 | As a Participant I want to use my global/federated user ID to interact with other Participants | |
| 2022_035 | As a Participant I want to have confidence in the identity and group membership of others (and be willing and able to use others' groups) | |
| 2022_036 | As a non-vendor Participant I want to determine how integrated authentication/authorization is in the CVD protocol | |
| 2022_037 | As a vendor I want to publish vulnerability advisories | |
| 2022_038 | As a vendor or coordinator, I want to receive vulnerability reports | |
| 2022_039 | As a Participant I want to ask questions/generally communicate with another case Participant | |
| 2022_040 | As a Participant I want to ask questions/generally communicate with another case Participant unicast/point-to-point | |
| 2022_041 | As a Participant I want to ask questions/generally communicate with all the Participants in a case (broadcast) | |
| 2022_042 | As a Participant I want to ask questions/generally communicate with a subset of case Participants | |
| 2022_043 | As a Participant, I want to communicate in a common case channel | |
| 2022_044 | As a Participant I want to communicate with selected case Participants | |
| 2022_045 | As a Participant, I want to produce a shared verified public record of case activity | |
| 2022_046 | As a Participant, I want the case to have a leader (global case owner, CVD leader) | |
| 2022_047 | As a Participant, I want to propose a case leader, possibly myself | |
| 2022_048 | As a Participant, I want to vote/accept a proposed case leader | |
| 2022_049 | As a Participant I want to announce the case leader to all Participants | |
| 2022_050 | As a Participant I want to transfer case leadership to a different Participant | |
| 2022_051 | As a Participant, I want to depose (or vote down?) a case leader, possibly myself (step down), possibly requiring a suggestion of a replacement | |
| 2022_052 | As a Participant I want to add (declare and notify others) new Participants to a case | |
| 2022_053 | As a Participant, I want to propose new Participants to a case | |
| 2022_054 | As a Participant I want to vote/accept new Participants to a case | |
| 2022_055 | As a Participant, I want to state that I paid or received a bounty | |
| 2022_056 | As a Participant, I want to ask if another Participant paid a reporter | |
| 2022_057 | As a Participant, I want to ask a reporter if they were paid | |
| 2022_058 | As a Participant I want to share a draft advisory with others | |
| 2022_059 | As a Participant I want to share a draft advisory with others and request feedback (including status) | |
| 2022_060 | As a Participant I want to request advisory (draft) from a Participant | |
| 2022_061 | As a Participant, I want to request someone else’s (vendor) status so I can note changes in others status | |
| 2022_062 | As a Participant, I want to state my status so others are aware of it. | |
| 2022_063 | As a Participant, I want to include a non-vendor role Participant in a case | |
| 2022_064 | As a Participant, I want to include the Government (some/any part, could include regulator) so that they may participate in the case. | |
| 2022_065 | As a Participant, I want to include the Industry/trade group so that they may participate in the case. | |
| 2022_066 | As a Participant, I want to stop participating in the case. | |
| 2022_067 | As a Participant, I want to stop participating in the case and inform others that I am no longer participating. | |
| 2022_068 | As a Participant, I want to stop participating in the case and no longer will receive or reply to forwarded queries. | |
| 2022_069 | As a Participant, I want to tell others that I published so that they can know about the vulnerability and the mitigation or remediation. | |
| 2022_070 | As a Participant, I want to convey how information I provide can be used so that others can apply the mitigation or remediation correctly. | |
| 2022_071 | As a Participant, I want to convey how information I provide can be used while obeying the TLP restrictions so that others can apply the mitigation or remediation correctly. | |
| 2022_072 | As a Participant, I want to convey what restricted information or degree of restriction I will accept so that I won't be accused of mishandling restricted information. | |
| 2022_073 | As a Participant, I want to convey what TLP restricted information or degree of restriction I will accept so that I won't be accused of mishandling TLP restricted information. | |
| 2022_074 | As a Participant, I want to keep track of events and timelines so that I have a complete report and don't miss a deadline. | |
| 2022_075 | As a Participant, I want to see response times/states of other Participants so that I can be prepared for the next state in the CVD process. | |
| 2022_076 | As a VDP operator, I want the CVD protocol to also support VDP | |
| 2022_077 | As a Participant, I want to be able to ask further questions about a report, to ensure I fully understand the vulnerability and mitigation or remediation options. | |
| 2022_078 | As a coordinator, I want to drive better (shorter?) embargo timelines, to ensure they are feasible. | |
| 2022_079 | As a coordinator, I want to collect and optimize embargo timelines of all Participants (probably duplicate of 103) to ensure the timelines are feasible. | |
| 2022_080 | As a Participant, I want to publicly disclose sooner than others but minimize their (the others) exposure/risk | |
| 2022_081 | As a Participant I want to communicate important public state change message/information with all Participants. | |
| 2022_082 | As a non-vendor Participant I want to be informed of CVD in order to perform activities like risk assessment, mitigation, verify mitigation, not be surprised, prepare messaging, etc. | |
| 2022_083 | As a Participant, I want to contribute to the creation, modification and publication of an advisory. | |
| 2022_084 | As a vendor I want to reward the reporter by paying a bounty. | |
| 2022_085 | As a reporter I want to be rewarded with a bounty. | |
| 2022_086 | As a Participant I will prioritize my response to requests for information or action so that I contribute to a risk-minimizing CVD process and outcome | |
| 2022_087 | As a Participant I want to share and receive information I can use to prioritize my work regarding the vulnerability report. | |
| 2022_088 | As a Participant, I want to avoid missteps by maintaining knowledge of the state of case and what options are available. | |
| 2022_089 | As a Participant I want a mechanism which with assure me of the authentication and verify integrity of messages. | |
| 2022_090 | As a Participant we need a mechanism which will ensure the appropriate level of authentication of all Participants | |
| 2022_091 | As a Participant we need a mechanism which will ensure the confidential transport and storage of information. | |
| 2022_092 | As a Participant, I want to know who else is participating in a case to ensure I don't void an embargo. | |
| 2022_093 | As a Participant, in an effort to ensure the Participant list is complete I want to know who else is participating. | |
| 2022_094 | As a Participant, I want to assess reputation of others so that I can decide to engage again | |
| 2022_095 | As a Participant, I want to provide evidence of/document my reputation to others so they can decide to engage with me | |
| 2022_096 | As a Participant, I want to record/log my trust in/reputation of others so I can decide to engage again | |
| 2022_097 | As a Participant I want to organize (create, define) my own groups of other Participants so that I can communicate successfully, participate fully and understand their requirements. | |
| 2022_098 | As a Participant I want to communicate with all Participants associated with this case. | |
| 2022_099 | As a Participant I want to communicate with non-vendor Participants, primarily other defenders, providers, CSIRTs, regulators, etc., important information. | |
| 2022_100 | As a vendor, coordinator or other I want to be included on a distribution list for advisories which must be clearly identified as public or non-public | |
| 2022_101 | As a Coordinator I want to validate the report received from Reporter or Finder before deciding CERT's active involvement for the potential Case | |
| 2022_102 | As a Coordinator I want to collect artifacts such as PoC Proof-of-Concept exploit, code control flow analysis (static or dynamic) that can enabled our validation of the security flaw being reported | |
| 2022_103 | As a Participant, I want to give the Finder/Reporter an opportunity to confirm that the fix addresses the vulnerability prior to publication. | |
| 2022_104 | As a Participant, I want to address multiple related vulnerabilities across multiple vendors simultaneously. | |
| 2022_105 | As a Vendor, I want to address the same vulnerability in multiple products but on different timelines so that I can avoid delaying the delivery of a ready fix to a subset of my user base. | |
| 2022_106 | As a Participant, I want the coordination process to be decentralized so that it is robust against individual Participant actions. | |
| 2022_107 | As a Vendor, I want to convey the vulnerability status of my component(s), product(s), or service(s) to other Participants. | |
| 2022_108 | As a Vendor, I want to convey the vulnerability status of my component(s), product(s), or service(s) to Users / the Public | |
| 2022_109 | As a Vendor, I want to convey the reason my component is not affected by a vulnerability to other Participants | |
| 2022_110 | As a Vendor, I want to convey the reason my component is not affected by a vulnerability to Users / the Public | |
| 2022_111 | As a Vendor, I need to know which of my products, components, or services are affected by a vulnerability report so that I know what to fix. |