Coordination Triage Decisions
We take three priority levels in our decision about whether and how to coordinate a vulnerability 1 based on an incoming report:
- Decline—Do not act on the report. May take different forms, including ignoring the report as well as an acknowledgement to the reporter that we will not act and suggest the reporter to go to vendor or publish if unresponsive.
- Track—Receive information about the vulnerability and monitor for status changes but do not take any overt actions.
- Coordinate—Take action on the report. “Action” may include any one or more of: technical analysis, reproduction, notifying vendors, lead coordination (notify, communicate, and publish), publish only (amplify public message), advise only, secondary coordinator (assist another lead coordinator). See 2 for additional vulnerability management services a coordinator may provide.
Coordinator Decision Points
Our goal with the coordination decision is to base it on information that is available to the analyst when CERT/CC receives a vulnerability report. In addition to using some of the decision points in Likely Decision Points; coordination makes use of Utility and Public Safety Impact decision points. The coordination and publication decisions for CERT/CC are about the social and collaborative state of vulnerability management. To assess this, the decision involves five new decision points.
TODO link to specific decision points
Coordination Triage Decision Process
The decision tree for reaching a Decision involves seven decision points. The first two function as gating questions: - If a report is already public, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact. - If no suppliers have been contacted, then CERT/CC will decline the case unless there are multiple suppliers, super effective Utility, and significant Public Safety Impact.
In the second case, CERT/CC may encourage the reporter to contact the supplier and submit a new case request if the supplier is unresponsive.
These two sets of exceptional circumstances mean that the seven decision points involved in the coordination triage tree can be compressed slightly, as the tree shows. This tree's information is available as either a CSV or PDF
Triage Decision Tree
This tree is a suggestion in that CERT/CC believes it works for us. Other coordinators should consider customizing the tree to their needs, as described in Tree Construction and Customization Guidance.
Table of Values
row | Public | Contacted | Report_Credibility | Cardinality | Engagement | Utility | Public_Safety_Impact | Priority |
---|---|---|---|---|---|---|---|---|
1 | no | yes | no | one | active | laborious | minimal | decline |
2 | no | yes | no | one | active | laborious | significant | decline |
3 | no | yes | no | one | active | efficient | minimal | decline |
4 | no | yes | no | one | active | efficient | significant | track |
5 | no | yes | no | one | active | super effective | minimal | decline |
6 | no | yes | no | one | active | super effective | significant | track |
7 | no | yes | no | one | unresponsive | laborious | minimal | decline |
8 | no | yes | no | one | unresponsive | laborious | significant | decline |
9 | no | yes | no | one | unresponsive | efficient | minimal | decline |
10 | no | yes | no | one | unresponsive | efficient | significant | track |
11 | no | yes | no | one | unresponsive | super effective | minimal | decline |
12 | no | yes | no | one | unresponsive | super effective | significant | track |
13 | no | yes | no | multiple | active | laborious | minimal | decline |
14 | no | yes | no | multiple | active | laborious | significant | track |
15 | no | yes | no | multiple | active | efficient | minimal | decline |
16 | no | yes | no | multiple | active | efficient | significant | track |
17 | no | yes | no | multiple | active | super effective | minimal | track |
18 | no | yes | no | multiple | active | super effective | significant | coordinate |
19 | no | yes | no | multiple | unresponsive | laborious | minimal | decline |
20 | no | yes | no | multiple | unresponsive | laborious | significant | track |
21 | no | yes | no | multiple | unresponsive | efficient | minimal | decline |
22 | no | yes | no | multiple | unresponsive | efficient | significant | track |
23 | no | yes | no | multiple | unresponsive | super effective | minimal | track |
24 | no | yes | no | multiple | unresponsive | super effective | significant | coordinate |
25 | no | yes | yes | one | active | laborious | minimal | decline |
26 | no | yes | yes | one | active | laborious | significant | decline |
27 | no | yes | yes | one | active | efficient | minimal | decline |
28 | no | yes | yes | one | active | efficient | significant | track |
29 | no | yes | yes | one | active | super effective | minimal | decline |
30 | no | yes | yes | one | active | super effective | significant | track |
31 | no | yes | yes | one | unresponsive | laborious | minimal | track |
32 | no | yes | yes | one | unresponsive | laborious | significant | coordinate |
33 | no | yes | yes | one | unresponsive | efficient | minimal | coordinate |
34 | no | yes | yes | one | unresponsive | efficient | significant | coordinate |
35 | no | yes | yes | one | unresponsive | super effective | minimal | coordinate |
36 | no | yes | yes | one | unresponsive | super effective | significant | coordinate |
37 | no | yes | yes | multiple | active | laborious | minimal | decline |
38 | no | yes | yes | multiple | active | laborious | significant | track |
39 | no | yes | yes | multiple | active | efficient | minimal | decline |
40 | no | yes | yes | multiple | active | efficient | significant | track |
41 | no | yes | yes | multiple | active | super effective | minimal | coordinate |
42 | no | yes | yes | multiple | active | super effective | significant | coordinate |
43 | no | yes | yes | multiple | unresponsive | laborious | minimal | coordinate |
44 | no | yes | yes | multiple | unresponsive | laborious | significant | coordinate |
45 | no | yes | yes | multiple | unresponsive | efficient | minimal | coordinate |
46 | no | yes | yes | multiple | unresponsive | efficient | significant | coordinate |
47 | no | yes | yes | multiple | unresponsive | super effective | minimal | coordinate |
48 | no | yes | yes | multiple | unresponsive | super effective | significant | coordinate |
49 | yes | yes | no | multiple | active | super effective | significant | coordinate |
50 | yes | yes | no | multiple | unresponsive | super effective | significant | coordinate |
51 | yes | yes | yes | multiple | active | super effective | significant | coordinate |
52 | yes | yes | yes | multiple | unresponsive | super effective | significant | coordinate |
53 | yes | no | no | multiple | active | super effective | significant | coordinate |
54 | yes | no | no | multiple | unresponsive | super effective | significant | coordinate |
55 | yes | no | yes | multiple | active | super effective | significant | coordinate |
56 | yes | no | yes | multiple | unresponsive | super effective | significant | coordinate |
57 | yes | yes | no | one | active | laborious | minimal | decline |
58 | yes | yes | no | one | active | efficient | minimal | decline |
59 | yes | yes | no | one | unresponsive | laborious | minimal | decline |
60 | yes | yes | no | one | unresponsive | efficient | minimal | decline |
61 | yes | yes | yes | one | active | laborious | minimal | decline |
62 | yes | yes | yes | one | active | efficient | minimal | decline |
63 | yes | yes | yes | one | unresponsive | laborious | minimal | decline |
64 | yes | yes | yes | one | unresponsive | efficient | minimal | decline |
65 | yes | no | no | one | active | laborious | minimal | decline |
66 | yes | no | no | one | active | efficient | minimal | decline |
67 | yes | no | no | one | unresponsive | laborious | minimal | decline |
68 | yes | no | no | one | unresponsive | efficient | minimal | decline |
69 | yes | no | yes | one | active | laborious | minimal | decline |
70 | yes | no | yes | one | active | efficient | minimal | decline |
71 | yes | no | yes | one | unresponsive | laborious | minimal | decline |
72 | yes | no | yes | one | unresponsive | efficient | minimal | decline |
73 | no | no | no | multiple | active | super effective | significant | coordinate |
74 | no | no | no | multiple | unresponsive | super effective | significant | coordinate |
75 | no | no | yes | multiple | active | super effective | significant | coordinate |
76 | no | no | yes | multiple | unresponsive | super effective | significant | coordinate |
77 | no | no | no | one | active | laborious | minimal | decline |
78 | no | no | no | one | active | efficient | minimal | decline |
79 | no | no | no | one | unresponsive | laborious | minimal | decline |
80 | no | no | no | one | unresponsive | efficient | minimal | decline |
81 | no | no | yes | one | active | laborious | minimal | decline |
82 | no | no | yes | one | active | efficient | minimal | decline |
83 | no | no | yes | one | unresponsive | laborious | minimal | decline |
84 | no | no | yes | one | unresponsive | efficient | minimal | decline |
-
Allen D Householder, Garret Wassermann, Art Manion, and Christopher King. The CERT® guide to coordinated vulnerability disclosure. Technical Report CMU/SEI-2017-TR-022, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, 2020. URL: https://vuls.cert.org/confluence/display/CVD/Executive+Summary. ↩
-
Vilius Benetis, Olivier Caleff, Cristine Hoepers, Angela Horneman, Allen Householder, Klaus-Peter Kossakowski, Art Manion, Amanda Mullens, Samuel Perl, Daniel Roethlisberger, Sigitas Rokas, Mary Rossell, Robin M. Ruefle, D'esir'ee Sacher, Krassimir T. Tzvetanov, and Mark Zajicek. Computer security incident response team (CSIRT) services framework. Technical Report ver. 2, FIRST, Cary, NC, USA, 2019. ↩