Vultron

Vultron is a research project to explore the creation of a federated, decentralized, and open source protocol for coordinated vulnerability disclosure (CVD). It has grown out of the CERT/CC's decades of experience in coordinating global response to software vulnerabilities. The goal is to create a protocol that can be used by any organization to coordinate the disclosure of vulnerabilities in information processing systems (software, hardware, services, etc.), and to build a community of interoperability across independent organizations processes and policies that can work together to coordinate appropriate responses to vulnerabilities.

Vultron is a collection of ideas, models, code, and work in progress, and is not yet ready for production use.

Vultron is a continuation of the CERT/CC's work on improving the coordination of vulnerability disclosure and response. Our previous work in this area includes:

• The CERT Guide to Coordinated Vulnerability Disclosure (Version 1.0, Version 2.0 )

• Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (SSVC) (Version 1.0, Version 2.0, github )

• The Vulnerability Information and Coordination Environment (VINCE) (blog post, github )

• A variety of related research, including

  • Cybersecurity Information Sharing: Analysing an Email Corpus of Coordinated Vulnerability Disclosure
  • Historical Analysis of Exploit Availability Timelines

More recently, the CERT/CC has been working towards formalizing this knowledge into a protocol for CVD. This work began with A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD), which also appeared in an abridged form as Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures in the ACM Journal Digital Threats: Research and Practice. In 2022, we published a collection of Coordinated Vulnerability Disclosure User Stories derived from both our process modeling work and from the experience of building VINCE. That same year, we published Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD), which serves as the basis for the work contained in this repository.

Vultron is:

• A set of high-level processes representing the steps involved in coordinated vulnerability disclosure
• A formal protocol describing the interactions of those processes
• A set of behavior logic that can be implemented as either procedures for humans to follow or (in many cases) code that can perform actions in response to state changes in a case with minimal human input
• A minimal data model for what information is necessary to track participant status and the overall case status through the course of handling a CVD case

The above were all initially described in the Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD) report.

In this repository, we are taking the first steps towards implementing the protocol and behavior logic described in that report. Currently, the work is focused on mapping the formal protocol onto the syntax and semantics of the ActivityPub protocol. Examples of our first steps in that direction can be found in doc/examples

Vultron is not a drop-in replacement for any particular

• tracking system—e.g., Bugzilla, Jira
• CVD or threat coordination tool—e.g., VINCE, MISP
• Vulnerability disclosure program—e.g., DC3 VDP
• Vulnerability disclosure platform or service—e.g., HackerOne, Bugcrowd, Synack

Instead, it is our hope that Vultron could serve as a lingua franca for the exchange of vulnerability case coordination information between those systems and services.

Vultron is not a vulnerability priortization tool, although it is intended to be compatible with common prioritization schemes like SSVC and CVSS.

Vultron is not intended to be a product, rather it's meant to be a feature set that can be implemented in a variety of CVD-related products and services to enable interoperability between them.

For more about our work in modeling, formalizing, and describing the CVD process, see:

• Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD) (2022) is the initial Vultron report.
  • SEI Blog post on Vultron (2022-09-26)
  • SEI Podcast on Vultron (2023-02-24)
• CERT Guide to Coordinated Vulnerabilty Disclosure (2017, 2019)
• A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD) (2021)
  • (abridged as) Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures (2022)
• Coordinated Vulnerability Disclosure User Stories (2022)
• Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem (2019) is a snapshot of some related System Dynamics and Agent-based modeling we did of CVD and related processes.
• Coordinated Vulnerability Disclosure is a Concurrent Process (2015) is an older talk which looks at a number of prior models of the CVD process, and shows some of our early attempts to formally describe the concurrency aspects of the CVD process.

We are still working out the correct licensing model for this effort, but for now, this repository is covered by the included copyright statement.

If you have feedback on this topic (including whether the copyright/license is causing difficulty for you to collaborate with us on this project), please let us know in an issue.