Software Engineering Institute

This white paper provides a set of user stories intended to guide the development of a technical protocol and application programmable interface (API) for Coordinated Vulnerability Disclosure (CVD). These user stories reflect internal discussions with the CERT/Coordination Center (CC) based on our own experiences in developing and using the VINCE platform as well as our ongoing CVD practices. The user stories are expected to be utilized by the CVD team to better understand, create, and implement a CVD Protocol. In addition, the CERT/CC believes that these user cases will be useful for any enterprise designing or implementing its own CVD policies, processes, and procedures.