Supply chain concerns.

[sei-vsarvepalli]

Is your feature request related to a problem? Please describe. No

Describe the solution you'd like We should highlight some of the supply-chain CVD processes and concerned areas.

Describe alternatives you've considered There may be just a potential link to Supply-Chain Disclosure if there is such a generic thing. In this context, Disclosure could be not just Vulnerability but any other incident that supply-chain stakeholders should communicate with each other for reliable usage of products/services.

Additional context Recent cybersecurity incidents and US National Cybersecurity Strategy have highlighted supply-chain concerns. We need to consider and perhaps expand more of the Vertical and Horizontal supply-chain concerns. The current supply chain concerns are mentioned in

• https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/cvd_recipes/#16
• https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/cvd_recipes/#17
• https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/cvd_recipes/#18
• https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/mpcvd

We could spend a bit more information on how CVD process should inherently observe and adopt supply-chain for OEM's and their relationships to OCM (Original Component Manufacturer) and multi-level OCM providers. Concerns such as OCM being an open source project - how does supply-chain CVD work ripple impact disclosure from OEM to OCM or the other way.

[ahouseholder]

What would you add to https://certcc.github.io/CERT-Guide-to-CVD/howto/coordination/mpcvd/#complicated-supply-chains to make it better?

(If it gets big enough we can split it into a separate page, I just don't know what we'd want to add/change based on what we already have.)

[sei-vsarvepalli]

I would really like to enumerate some of these practical multiparty concern in a little more detail if possible . Perhaps with input from Coordinators?

1. Embargo date (related publication/release) management in MPCVD
2. Variance (not statistical but plain English) of impact
3. Variance of fixes and their deployments
4. The need for an alliance/agreement among the Vendors where one may not have existed (e.g., opensource and commercial or commercial to commercial)
5. Potential inter-vendor conversations not known to other Vendors and the Coordinator himself.
6. Expectation mismatch between the Finder and multiple Vendors

Some of these may not have any solutions but will help the Coordinator set expectations and help adhere to some communications and outreach technique that reduce the risk of MPCVD going awry.

I think as software grows the reuse of software is also likely to grow. The MPCVD is an unavoidable "wicked problem" indeed with parties that are loosely connected and benevolence is the only card to play.