Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)
• Special Report
Software Engineering Institute
CMU/SEI Report NumberCMU/SEI-2022-SR-012
DOI (Digital Object Identifier)10.1184/R1/19852798
The Coordinated Vulnerability Disclosure (CVD) process addresses a human coordination problem that spans individuals and organizations. In this report, we propose a formal protocol specification for Multi-Party Coordinated Vulnerability Disclosure (MPCVD) with the goal of improving the interoperability of both CVD and MPCVD processes. The Vultron protocol is composed of three interacting Deterministic Finite Automata (DFAs) for each CVD case Participant representing the Report Management (RM), Embargo Management (EM), and CVD Case State (CS) processes. Additionally, we provide guidance and commentary on the associated MPCVD Participant capabilities and behaviors necessary for this interoperability to be realized.