Software Engineering Institute

The Coordinated Vulnerability Disclosure (CVD) process addresses a human coordination problem that spans individuals and organizations. In this report, we propose a formal protocol specification for Multi-Party Coordinated Vulnerability Disclosure (MPCVD) with the goal of improving the interoperability of both CVD and MPCVD processes. The Vultron protocol is composed of three interacting Deterministic Finite Automata (DFAs) for each CVD case Participant representing the Report Management (RM), Embargo Management (EM), and CVD Case State (CS) processes. Additionally, we provide guidance and commentary on the associated MPCVD Participant capabilities and behaviors necessary for this interoperability to be realized.