Skip to content

Enumerating Decisions

Stakeholders with different responsibilities in vulnerability management have very different decisions to make. This section focuses on the differences among organizations based on their vulnerability management responsibilities. Some decision makers may have different responsibilities in relation to different software.

Example: Different Responsibilities for Different Software

For example, an Android app developer is a developer of the app, but is a deployer for any changes to the Android OS API. This situation is true for libraries in general:

  • A web browser developer makes decisions about applying patches to DNS lookup libraries and transport layer security (TLS) libraries.
  • A video game developer makes decisions about applying patches released to the Unreal Engine.
  • A medical device developer makes decisions about applying patches to the Linux kernel.

The list goes on.

Alternatively, one might view applying patches as including some development and distribution of the updated product. Or one might take the converse view, that development includes updating libraries. Either way, in each of these examples (mobile device apps, web browsers, video games, medical devices), we recommend that the professionals making genuine decisions do three things:

  1. identify the decisions explicitly
  2. describe how they view their role(s)
  3. identify which software projects their decision relates to

If their decisions are explicit, then the decision makers can use the recommendations from this document that are relevant to them.