Skip to content

Coordination Triage Decisions

We take three priority levels in our decision about whether and how to coordinate a vulnerability 1 based on an incoming report:

  • Decline—Do not act on the report. May take different forms, including ignoring the report as well as an acknowledgement to the reporter that we will not act and suggest the reporter to go to vendor or publish if unresponsive.
  • Track—Receive information about the vulnerability and monitor for status changes but do not take any overt actions.
  • Coordinate—Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), advise only, secondary coordinator (assist another lead coordinator). See 2 for additional vulnerability management services a coordinator may provide.

Coordinator Decision Points

Our goal with the coordination decision is to base it on information that is available to the analyst when CERT/CC receives a vulnerability report. In addition to using some of the decision points in Likely Decision Points; coordination makes use of Utility and Public Safety Impact decision points. The coordination and publication decisions for CERT/CC are about the social and collaborative state of vulnerability management. To assess this, the decision involves five new decision points.

TODO link to specific decision points

Coordination Triage Decision Process

The decision tree for reaching a Decision involves seven decision points. The first two function as gating questions: - If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact. - If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact.

In the second case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.

These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the tree shows. This tree's information is available as either a CSV or PDF

Triage Decision Tree

This tree is a suggestion in that CERT/CC believes it works for us. Other coordinators should consider customizing the tree to their needs, as described in Tree Construction and Customization Guidance.

Table of Values

row Public Contacted Report_Credibility Cardinality Engagement Utility Public_Safety_Impact Priority
1 no yes no one active laborious minimal decline
2 no yes no one active laborious significant decline
3 no yes no one active efficient minimal decline
4 no yes no one active efficient significant track
5 no yes no one active super effective minimal decline
6 no yes no one active super effective significant track
7 no yes no one unresponsive laborious minimal decline
8 no yes no one unresponsive laborious significant decline
9 no yes no one unresponsive efficient minimal decline
10 no yes no one unresponsive efficient significant track
11 no yes no one unresponsive super effective minimal decline
12 no yes no one unresponsive super effective significant track
13 no yes no multiple active laborious minimal decline
14 no yes no multiple active laborious significant track
15 no yes no multiple active efficient minimal decline
16 no yes no multiple active efficient significant track
17 no yes no multiple active super effective minimal track
18 no yes no multiple active super effective significant coordinate
19 no yes no multiple unresponsive laborious minimal decline
20 no yes no multiple unresponsive laborious significant track
21 no yes no multiple unresponsive efficient minimal decline
22 no yes no multiple unresponsive efficient significant track
23 no yes no multiple unresponsive super effective minimal track
24 no yes no multiple unresponsive super effective significant coordinate
25 no yes yes one active laborious minimal decline
26 no yes yes one active laborious significant decline
27 no yes yes one active efficient minimal decline
28 no yes yes one active efficient significant track
29 no yes yes one active super effective minimal decline
30 no yes yes one active super effective significant track
31 no yes yes one unresponsive laborious minimal track
32 no yes yes one unresponsive laborious significant coordinate
33 no yes yes one unresponsive efficient minimal coordinate
34 no yes yes one unresponsive efficient significant coordinate
35 no yes yes one unresponsive super effective minimal coordinate
36 no yes yes one unresponsive super effective significant coordinate
37 no yes yes multiple active laborious minimal decline
38 no yes yes multiple active laborious significant track
39 no yes yes multiple active efficient minimal decline
40 no yes yes multiple active efficient significant track
41 no yes yes multiple active super effective minimal coordinate
42 no yes yes multiple active super effective significant coordinate
43 no yes yes multiple unresponsive laborious minimal coordinate
44 no yes yes multiple unresponsive laborious significant coordinate
45 no yes yes multiple unresponsive efficient minimal coordinate
46 no yes yes multiple unresponsive efficient significant coordinate
47 no yes yes multiple unresponsive super effective minimal coordinate
48 no yes yes multiple unresponsive super effective significant coordinate
49 yes yes no multiple active super effective significant coordinate
50 yes yes no multiple unresponsive super effective significant coordinate
51 yes yes yes multiple active super effective significant coordinate
52 yes yes yes multiple unresponsive super effective significant coordinate
53 yes no no multiple active super effective significant coordinate
54 yes no no multiple unresponsive super effective significant coordinate
55 yes no yes multiple active super effective significant coordinate
56 yes no yes multiple unresponsive super effective significant coordinate
57 yes yes no one active laborious minimal decline
58 yes yes no one active efficient minimal decline
59 yes yes no one unresponsive laborious minimal decline
60 yes yes no one unresponsive efficient minimal decline
61 yes yes yes one active laborious minimal decline
62 yes yes yes one active efficient minimal decline
63 yes yes yes one unresponsive laborious minimal decline
64 yes yes yes one unresponsive efficient minimal decline
65 yes no no one active laborious minimal decline
66 yes no no one active efficient minimal decline
67 yes no no one unresponsive laborious minimal decline
68 yes no no one unresponsive efficient minimal decline
69 yes no yes one active laborious minimal decline
70 yes no yes one active efficient minimal decline
71 yes no yes one unresponsive laborious minimal decline
72 yes no yes one unresponsive efficient minimal decline
73 no no no multiple active super effective significant coordinate
74 no no no multiple unresponsive super effective significant coordinate
75 no no yes multiple active super effective significant coordinate
76 no no yes multiple unresponsive super effective significant coordinate
77 no no no one active laborious minimal decline
78 no no no one active efficient minimal decline
79 no no no one unresponsive laborious minimal decline
80 no no no one unresponsive efficient minimal decline
81 no no yes one active laborious minimal decline
82 no no yes one active efficient minimal decline
83 no no yes one unresponsive laborious minimal decline
84 no no yes one unresponsive efficient minimal decline

  1. Allen D Householder, Garret Wassermann, Art Manion, and Christopher King. The CERT® guide to coordinated vulnerability disclosure. Technical Report CMU/SEI-2017-TR-022, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2020. URL: https://vuls.cert.org/confluence/display/CVD/Executive+Summary

  2. Vilius Benetis, Olivier Caleff, Cristine Hoepers, Angela Horneman, Allen Householder, Klaus-Peter Kossakowski, Art Manion, Amanda Mullens, Samuel Perl, Daniel Roethlisberger, Sigitas Rokas, Mary Rossell, Robin M. Ruefle, D'esir'ee Sacher, Krassimir T. Tzvetanov, and Mark Zajicek. Computer security incident response team (CSIRT) services framework. Technical Report ver. 2, FIRST, Cary, NC, USA, 2019.