CERTCC · ahouseholder · Oct 27, 2023 · Oct 27, 2023 · Oct 27, 2023 · Oct 27, 2023
@@ -1 +1,4 @@
-Please note: Pull request submissions are subject to our [Contribution Instructions](https://github.com/CERTCC/Vultron/blob/main/ContributionInstructions.md).
+
+---
+Please note: Pull request submissions are subject to our
+[Contribution Instructions](https://github.com/CERTCC/Vultron/blob/main/ContributionInstructions.md)
@@ -18,3 +18,5 @@ jobs:
       with:
         globs: ${{ steps.changed-files.outputs.all_changed_files }}
         separator: ","
+        config: .markdownlint-cli2.yaml
+
@@ -0,0 +1,6 @@
+config:
+  "MD013": false
+  "MD033": false
+  "MD041": false
+  "MD046": false
+  "MD051": false
@@ -15,6 +15,4 @@ This work is funded in part by
 of the Software Engineering Institute, a federally funded research and development center sponsored by the United States
 Department of Defense.
 
-
 DM23-0698
-
@@ -1,4 +1,4 @@
-# Copyright &copy; 2023 Carnegie Mellon University.
+# Copyright &copy; 2023 Carnegie Mellon University
 
 This material is based upon work funded and supported by the Department of Homeland Security under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.
 
@@ -8,7 +8,7 @@ The view, opinions, and/or findings contained in this material are those of the
 
 [DISTRIBUTION STATEMENT A] This material has been approved for public release and unlimited distribution.  Please see Copyright notice for non-US Government use and distribution.
 
-This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use.  Requests for permission should be directed to the Software Engineering Institute at [email protected].
+This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use.  Requests for permission should be directed to the Software Engineering Institute at <[email protected]>.
 
 Carnegie Mellon®, CERT® and CERT Coordination Center® are registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
 

@@ -4,15 +4,15 @@ By making any Contribution to this project, you agree to the terms outlined belo
 
 **IF YOU DO NOT AGREE TO THESE TERMS, DO NOT SUBMIT ANY CONTRIBUTION TO THIS PROJECT.**
 
-# TERMS OF SUBMISSION (“Agreement”):
+# TERMS OF SUBMISSION (“Agreement”)
 
 ## 1. Definitions
 
 - "**You**" means the individual who Submits a Contribution to Us.
 - "**Contribution**" means any work of authorship, including but not limited to source code, object code, patch, tool,
    sample, graph, specification, manual documentation, that is Submitted by You to Us in which You own or assert
    ownership of the Copyright.
--  "**Copyright**" means all rights protecting works of authorship owned or controlled by You, including copyright, moral
+- "**Copyright**" means all rights protecting works of authorship owned or controlled by You, including copyright, moral
    and neighboring rights, as appropriate, for the full term of their existence including any extensions by You.
 - "**Material**" means the work of authorship which is made available by Us to third parties. When this Agreement covers
    more than one software project, the Material means the work of authorship to which the Contribution was Submitted.
@@ -39,22 +39,22 @@ provided that this license is conditioned upon compliance with Section 2.2.
 
 ### 2.2 Outbound License
 
-Based on the grant of rights in Section 2.1, if We include Your Contribution in a Material, 
+Based on the grant of rights in Section 2.1, if We include Your Contribution in a Material,
 We may license the Contribution under any license, including copyleft, permissive, commercial, or proprietary licenses.
-As a condition on the exercise of this right, We agree to also license the Contribution under the terms of the license 
+As a condition on the exercise of this right, We agree to also license the Contribution under the terms of the license
 or licenses which We are using for the Material on the Submission Date.
 
-### 2.3 Moral Rights.
+### 2.3 Moral Rights
 
-If moral rights apply to the Contribution, to the maximum extent permitted by law, You waive and agree not to assert 
+If moral rights apply to the Contribution, to the maximum extent permitted by law, You waive and agree not to assert
 such moral rights against Us or our successors in interest, or any of our licensees, either direct or indirect.
-   
-### 2.4 Our Rights.
+
+### 2.4 Our Rights
 
 You acknowledge that We are not obligated to use Your Contribution as part of the Material and may decide to include any
 Contribution We consider appropriate.
-   
-### 2.5 Reservation of Rights.
+
+### 2.5 Reservation of Rights
 
 Any rights not expressly assigned or licensed under this section are expressly reserved by You.
 
@@ -72,7 +72,7 @@ Contribution.
 **(c)** The grant of rights under Section 2 does not violate any grant of rights which You have made to third parties,
 including Your employer. If You are an employee, You warrant that Your employer has approved this Agreement. If You
 are less than eighteen years old, Your parent or guardian must sign a printed version of this Agreement and send it
-to [email protected].
+to <[email protected]>.
 
 **(d)** You shall make each Contribution in full compliance with U.S. export control laws.
 
@@ -87,7 +87,7 @@ of this Agreement.
 ## 4. Miscellaneous
 
 **4.1** This Agreement will be governed by and construed in accordance with the laws of Pennsylvania excluding its
-conflicts of law provisions. 
+conflicts of law provisions.
 
 **4.2** This Agreement sets out the entire agreement between You and Us for Your Contributions to Us and overrides all
 other agreements or understandings.

@@ -1,6 +1,6 @@
 # Contributors
 
 Contributors:
-https://github.com/CERTCC/Vultron/graphs/contributors
+<https://github.com/CERTCC/Vultron/graphs/contributors>
 
 Carnegie Mellon University
@@ -17,13 +17,13 @@ persons to whom the Software is furnished to do so, subject to the following con
 The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
 Software.
 
-## ACKNOWLEDGEMENTS AND DISCLAIMERS:
+## ACKNOWLEDGEMENTS AND DISCLAIMERS
 
 This program may include and/or can make use of certain third party source code, object code, documentation and other
 files ("Third Party Software"). The Third Party Software that is used by this program is dependent upon your system
 configuration. By using this program, You agree to comply with any and all relevant Third Party Software terms and
 conditions contained in any such Third Party Software or separate license file distributed with such Third Party
-Software. The parties who own the Third Party Software ("Third Party Licensors") are intended third party beneficiaries 
+Software. The parties who own the Third Party Software ("Third Party Licensors") are intended third party beneficiaries
 to this License with respect to the terms applicable to their Third Party Software. Third Party Software licenses only
 apply to the Third Party Software and not any other portion of this program or this program as a whole.
 

@@ -4,81 +4,83 @@ Vultron is a research project to explore the creation of a federated, decentrali
 coordinated vulnerability disclosure (CVD). It has grown out of the CERT/CC's decades of experience in coordinating
 global response to software vulnerabilities. The goal is to create a protocol that can be used by any organization
 to coordinate the disclosure of vulnerabilities in information processing systems (software, hardware, services, etc.),
-and to build a community of interoperability across independent organizations processes and policies that can work 
+and to build a community of interoperability across independent organizations processes and policies that can work
 together to coordinate appropriate responses to vulnerabilities.
 
 Vultron is a collection of ideas, models, code, and work in progress, and is not yet ready for production use.
 
-# Background and related work
+## Background and related work
 
 Vultron is a continuation of the [CERT/CC](https://www.sei.cmu.edu/about/divisions/cert/index.cfm)'s work on improving the coordination of vulnerability disclosure and response.
 Our previous work in this area includes:
+
 - The CERT Guide to Coordinated Vulnerability Disclosure
-([Version 1.0](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=503330), 
+([Version 1.0](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=503330),
 [Version 2.0](https://vuls.cert.org/confluence/display/CVD)
 )
-- Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (SSVC) 
+- Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (SSVC)
 ([Version 1.0](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=636379),
 [Version 2.0](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=653459),
 [github](https://github.com/CERTCC/SSVC)
 )
-- The Vulnerability Information and Coordination Environment (VINCE) 
+- The Vulnerability Information and Coordination Environment (VINCE)
 ([blog post](https://insights.sei.cmu.edu/news/certcc-releases-vince-software-vulnerability-collaboration-platform/),
 [github](https://github.com/CERTCC/VINCE)
 )
- 
+
 - A variety of related research, including
   - [Cybersecurity Information Sharing: Analysing an Email Corpus of Coordinated Vulnerability Disclosure](https://www.research.ed.ac.uk/en/publications/cybersecurity-information-sharing-analysing-an-email-corpus-of-co)
   - [Historical Analysis of Exploit Availability Timelines](https://www.usenix.org/conference/cset20/presentation/householder)
 
-More recently, the CERT/CC has been working towards formalizing this knowledge into a protocol for CVD. 
+More recently, the CERT/CC has been working towards formalizing this knowledge into a protocol for CVD.
 This work began
 with [A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=735513),
-which also appeared in an abridged form as [Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures](https://dl.acm.org/doi/10.1145/3477431) 
+which also appeared in an abridged form as [Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures](https://dl.acm.org/doi/10.1145/3477431)
 in the ACM Journal _Digital Threats: Research and Practice_.
 In 2022, we published a collection of [Coordinated Vulnerability Disclosure User Stories](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=886543)
 derived from both our process modeling work and from the experience of building VINCE.
 That same year, we published [Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=887198),
 which serves as the basis for the work contained in this repository.
 
-# So what *is* Vultron?
+## So what _is_ Vultron?
 
 Vultron is:
+
 - A set of high-level processes representing the steps involved in coordinated vulnerability disclosure
-- A formal protocol describing the interactions of those processes 
+- A formal protocol describing the interactions of those processes
 - A set of behavior logic that can be implemented as either procedures for humans to follow or (in many cases) code that
   can perform actions in response to state changes in a case with minimal human input
 - A minimal data model for what information is necessary to track participant status and the overall case status through
   the course of handling a CVD case
 
-The above were all initially described in the 
+The above were all initially described in the
 [Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=887198) report.
 
 In this repository, we are taking the first steps towards implementing the protocol and behavior logic described in that
-report. 
-Currently, the work is focused on mapping the formal protocol onto the syntax and semantics of the [ActivityPub](https://www.w3.org/TR/activitypub/) 
-protocol. 
+report.
+Currently, the work is focused on mapping the formal protocol onto the syntax and semantics of the [ActivityPub](https://www.w3.org/TR/activitypub/)
+protocol.
 Examples of our first steps in that direction can be found in [doc/examples](doc/examples)
 
-
-# What is Vultron *not*?
+## What is Vultron _not_?
 
 Vultron is **not** a drop-in replacement for any particular
+
 - _tracking system_&mdash;e.g., [Bugzilla](https://www.bugzilla.org/), [Jira](https://www.atlassian.com/software/jira)
-- _CVD or threat coordination tool_&mdash;e.g., [VINCE](https://github.com/CERTCC/VINCE), [MISP](https://www.misp-project.org/) 
+- _CVD or threat coordination tool_&mdash;e.g., [VINCE](https://github.com/CERTCC/VINCE), [MISP](https://www.misp-project.org/)
 - _Vulnerability disclosure program_&mdash;e.g.,  [DC3 VDP](https://www.dc3.mil/Missions/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/)
 - _Vulnerability disclosure platform or service_&mdash;e.g., [HackerOne](https://hackerone.com/), [Bugcrowd](https://www.bugcrowd.com/), [Synack](https://www.synack.com/)
 
 Instead, it is our hope that Vultron could serve as a _lingua franca_ for the exchange of vulnerability case coordination information
-between those systems and services. 
+between those systems and services.
 
-Vultron is not a vulnerability priortization tool, although it is intended to be compatible with common 
+Vultron is not a vulnerability priortization tool, although it is intended to be compatible with common
 prioritization schemes like [SSVC](https://github.com/CERTCC/SSVC) and [CVSS](https://www.first.org/cvss/).
 
 Vultron is not intended to be a product, rather it's meant to be a feature set that can be implemented in a variety of
 CVD-related products and services to enable interoperability between them.
 
-# Other CERT CVD Resources
+## Other CERT CVD Resources
 
 For more about our work in modeling, formalizing, and describing the CVD process, see:
 
@@ -87,18 +89,18 @@ For more about our work in modeling, formalizing, and describing the CVD process
   - [SEI Podcast on Vultron](https://youtu.be/8WiSmhxJ2OM) (2023-02-24)
 - [CERT Guide to Coordinated Vulnerabilty Disclosure](https://vuls.cert.org/confluence/display/CVD) (2017, 2019)
 - [A State-Based Model for Multi-Party Coordinated Vulnerability Disclosure (MPCVD)](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=735513) (2021)
-  - (abridged as) [Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures](https://dl.acm.org/doi/10.1145/3477431) (2022) 
+  - (abridged as) [Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosures](https://dl.acm.org/doi/10.1145/3477431) (2022)
 - [Coordinated Vulnerability Disclosure User Stories](https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=886543) (2022)
 - [Multi-Method Modeling and Analysis of the Cybersecurity Vulnerability Management Ecosystem](https://resources.sei.cmu.edu/asset_files/WhitePaper/2019_019_001_550437.pdf)
 (2019) is a snapshot of some related System Dynamics and Agent-based modeling we did of CVD and related processes.
 - [Coordinated Vulnerability Disclosure is a Concurrent Process](https://youtu.be/vhA0duqGzmQ) (2015)
-is an older talk which looks at a number of prior models of the CVD process, and shows some of our early 
+is an older talk which looks at a number of prior models of the CVD process, and shows some of our early
 attempts to formally describe the concurrency aspects of the CVD process.
 
-# License and Copyright
+## License and Copyright
 
 We are still working out the correct licensing model for this effort, but for now, this repository is covered by the
-included [copyright statement](COPYRIGHT.md). 
+included [copyright statement](COPYRIGHT.md).
 
 If you have feedback on this topic (including whether the copyright/license is causing difficulty for you to collaborate
-with us on this project), please let us know in an [issue](https://github.com/CERTCC/Vultron/issues/new).
+with us on this project), please let us know in an [issue](https://github.com/CERTCC/Vultron/issues/new).
@@ -1,6 +1,6 @@
 # Vultron Docs
 
 What's here:
+
 - [User Stories](/docs/topics/user_stories/)
 - [Activity Vocabulary Examples](/doc/examples/)
-
@@ -1 +1 @@
-{% include-markdown "../../Acknowledgements.md" %}
+{% include-markdown "../../Acknowledgements.md" %}
@@ -2,4 +2,4 @@
 
 ## Contribution Instructions
 
-{% include-markdown "../../ContributionInstructions.md" heading-offset=2 %}
+{% include-markdown "../../ContributionInstructions.md" heading-offset=2 %}
@@ -2,12 +2,11 @@
 
 ## What do we need to move the Vultron Protocol to widespread use?
 
-First, we need to finish the protocol and get it to a sufficiently stable state that we can start to use it even in 
+First, we need to finish the protocol and get it to a sufficiently stable state that we can start to use it even in
 test environments.  We're not there yet.
 
 In the meantime, there are a number of other things that can help. We're looking for help with:
 
-
 ## How do we apply encryption to ActivityPub messages to enable end-to-end encryption?
 
 We're of the opinion that encrypted messaging is a feature that should be available to all users of
@@ -26,7 +25,7 @@ Some relevant links include:
   post [Towards End-to-End Encryption for Direct Messages in the Fediverse](https://soatok.blog/2022/11/22/towards-end-to-end-encryption-for-direct-messages-in-the-fediverse/)
 - [Issue #225](https://github.com/w3c/activitypub/issues/225) on the W3C ActivityPub Github repo talks about the
   need for encrypted content, but it seems to have been closed without a solution in 2017.
-    - However, a much more
+  - However, a much more
       recent [April 2023 comment](https://github.com/w3c/activitypub/issues/225#issuecomment-1493887382)
       mentions:
       > If we restrict to direct message (with a single recipient) one may just encrypt the message (Note) payload using
@@ -45,4 +44,3 @@ We'd be interested to know how we could help with efforts to bring encrypted mes
 ## What are the requirements for contributing?
 
 See [CONTRIBUTING](contributing.md)
-
@@ -1 +1 @@
-{% include-markdown "../../LICENSE.md" %}
+{% include-markdown "../../LICENSE.md" %}