# HG changeset patch # User Benoît Allard # Date 1412692198 -7200 # Node ID 496ae1e8e90c90c495e87ac69dc952f432fffc3a # Parent 5583ddcd61645b8a35034f787b3001c788d88bb6 Add Descriptions for edit_involvement diff -r 5583ddcd6164 -r 496ae1e8e90c farol/templates/document/edit_publisher.j2 --- a/farol/templates/document/edit_publisher.j2 Tue Oct 07 16:15:43 2014 +0200 +++ b/farol/templates/document/edit_publisher.j2 Tue Oct 07 16:29:58 2014 +0200 @@ -44,7 +44,7 @@
Everyone using a vendor’s product.
Other:
Catchall for everyone else. Currently this includes forwarders, republishers, language translators, and miscellaneous contributors.
- + {% endcall %} {% call textinput("vendorid", "Vendor ID", "", publisher._vendorid or '') %}

The optional Vendor ID attribute is a unique identifier (OID) that a vendor uses as issued by FIRST under the auspices of IETF. At the time of this writing, OID is a work in progress.

diff -r 5583ddcd6164 -r 496ae1e8e90c farol/templates/vulnerability/edit_involvement.j2 --- a/farol/templates/vulnerability/edit_involvement.j2 Tue Oct 07 16:15:43 2014 +0200 +++ b/farol/templates/vulnerability/edit_involvement.j2 Tue Oct 07 16:29:58 2014 +0200 @@ -24,17 +24,50 @@ -#} {% extends "base.j2" %} -{% from "macros.j2" import textinput, textarea, selectinput %} +{% from "macros.j2" import textinput, textarea, selectinput, examples %} {% block title %}Edit Involvement{% endblock %} {% set active = 'vulnerability' %} {% block content %} +

The Involvement container allows the document producers (or third party) to comment on their level of involvement in the vulnerability identification, scoping, and remediation process.

-{{ selectinput("party", "Party", parties, party) }} -{{ selectinput("status", "Status", statuses, status) }} -{{ textarea("description", "Description", "", description, 10) }} +{% call selectinput("party", "Party", parties, party) %} +

The attribute Party indicates the type of the producer issuing the status. It is identical to the Document Publisher attribute Type. Most of the time, both attributes will be the same because document producers will issue an Involvement status on their own behalf. However, if the document producer wants to issue a status on behalf of a third party and use a different type from that used in Document Publisher, that use is allowed by the schema. If this is the case, Description should contain additional context regarding what is going on.

+
+
Vendor:
+
Developers or maintainers of information system products or services. This includes all authoritative product vendors, Product Security Incident Response Teams (PSIRTs), and product resellers and distributors, including authoritative vendor partners.
+
Discoverer:
+
Individuals or organizations that find vulnerabilities or security weaknesses. This includes all manner of researchers.
+
Coordinator:
+
Individuals or organizations that manage a single vendor’s response or multiple vendors’ responses to a vulnerability, a security flaw, or an incident. This includes all Computer Emergency/Incident Response Teams (CERTs/CIRTs) or agents acting on the behalf of a researcher.
+
User:
+
Everyone using a vendor’s product.
+
Other:
+
Catchall for everyone else. Currently this includes forwarders, republishers, language translators, and miscellaneous contributors.
+
+{% endcall %} + +{% call selectinput("status", "Status", statuses, status) %} +

The attribute Status indicates the level of involvement of Party.

+

The child Description (below) is an optional element used to give context about the involvement or engagement of the Party.

+

The final two status states, Contact Attempted and Not Contacted, are intended for use by document producers other than vendors (such as research or coordinating entities).

+

Status types include:

+
+
Open:
This is the default status. It doesn’t indicate anything about the vulnerability remediation effort other than the fact that the vendor has acknowledged awareness of the vulnerability report. The use of this status by a vendor indicates that future updates from the vendor about the vulnerability are to be expected.
+
Disputed:
This status indicates that the vendor disputes the vulnerability report in its entirety. Vendors should indicate this status when they believe that a vulnerability report regarding their product is completely inaccurate (that there is no real underlying security vulnerability) or that the technical issue being reported has no security implications.
+
In Progress:
This status indicates that some hotfixes, permanent fixes, mitigations, workarounds, or patches may have been made available by the vendor, but more information or fixes may be released in the future. The use of this status by a vendor indicates that future information from the vendor about the vulnerability is to be expected.
+
Completed:
The vendor asserts that investigation of the vulnerability is complete. No additional information, fixes, or documentation from the vendor about the vulnerability should be expected to be released.
+
Contact Attempted:
The document producer attempted to contact the affected vendor.
+
Not Contacted:
The document producer has not attempted to make contact with the affected vendor.
+
+

Each status is mutually exclusive—only one status is valid for a particular vulnerability at a particular time. As the vulnerability ages, a party’s involvement could move from state to state. However, in many cases, a document producer may choose not to issue CVRF documents at each state, or simply omit this element altogether. It is recommended, however, that vendors that issue CVRF documents indicating an open or in-progress Involvement should eventually expect to issue a document as Disputed or Completed.

+{% endcall %} +{% call textarea("description", "Description", "", description, 10) %} +

The Description element will contain a thorough human-readable discussion of the Involvement.

+{{ examples(['Cisco acknowledges that the IronPort Email Security Appliances (ESA) and Cisco IronPort Security Management Appliances (SMA) contain a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. A Mitigation is available.', 'We emailed the vendor on February 14, 2012 when the vulnerability was first discovered by our team.']) }} +{% endcall %} Cancel