Vulnerability Disclosure Report (VDR)

 

Communicate known and unknown vulnerabilities affecting components and services

Known vulnerabilities inherited from the use of third-party and open source software can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for Vulnerability Disclosure Report (VDR) use cases.

NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations defines Vulnerability Disclosure Reports (VDR) as a best practice and recommends VDRs include:

  • Analysis and findings describing the impact (or lack thereof) that a reported vulnerability has on a component or product
  • Plans to address the vulnerability
  • Signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature
  • Publishing the VDR to a secure portal

CycloneDX exceeds the data field requirements defined in ISO/IEC 29147:2018 for vulnerability disclosure information and provides a simple path for including Vulnerability Exploitability eXchange (VEX) information.

Abstract of VDR and VEX data represented in a BOM

Independent BOM and VDR BOM

CycloneDX fully supports all NIST recommendations for VDR including:

Independent BOM and VDR Document

With CycloneDX, it is possible to reference a component, service, or vulnerability inside a BOM from other systems or other BOMs. This deep-linking capability is referred to as BOM-Link and is a formally registered URN.

Learn more about how CycloneDX makes use of BOM-Link.

CycloneDX VDR BOMs can also be used with alternative SBOM formats such as SPDX, but without the tight integration or support of an IETF standard for linkage. Vendor support may vary.

BOM With Embedded VDR

BOM With Embedded VDR

CycloneDX also supports embedding VDR information inside a BOM, thus having a single artifact that describes both inventory and VDR data. There are several uses for embedding VDR data including:

  • Audit use cases where inventory and vulnerability data need to be captured at a specific point in time
  • Automated security tools may opt to create a single BOM with embedded vulnerability or VDR data for convenience and portability

High-Level Object Model

CycloneDX Object Model Swimlane

Examples

BOMs demonstrating VDR capabilities can be found at https://github.com/CycloneDX/bom-examples

See also

Additional Capabilities

SBOM

Software Bill of Materials

Inventory software components and services and the dependency relationships between them

 

SaaSBOM

Software as a Service Bill of Materials

Inventory services, endpoints, and data flows and classifications that power cloud-native applications

 

CBOM

Cryptography Bill of Materials

Discover, manage and report on cryptography in preparation for quantum-safe systems and applications

 

VEX

Vulnerability Exploitability eXchange

Convey the exploitability of vulnerable components in the context of the product in which they're used

 

HBOM

Hardware Bill of Materials

Inventory hardware components for IoT, ICS, and other types of embedded and connected devices

 

ML-BOM

Machine-Learning Bill of Materials

Model and dataset transparency for security, privacy, safety and ethical considerations

 

Attestations

Attestations (CDXA)

Machine-readable statements of claims, evidence, and testimony in compliance with standards

 

MBOM

Manufacturing Bill of Materials

Declared and observed formulation for reproducibility throughout product lifecycle

 

OBOM

Operations Bill of Materials

Full-stack inventory of runtime environments, configurations, and additional dependencies

 

VDR

Vulnerability Disclosure Report

Communicate known and unknown vulnerabilities affecting components and services

 

BOM-Link

Bill of Materials Linkage Syntax

Reference components, services, or vulnerabilities in BOMs from other systems or other BOMs

 

BOV

Bill of Vulnerabilities

Share vulnerability data between systems and sources of vulnerability intelligence

 

Release Notes

Common Release Notes Format

Standardizes release notes unlocking new workflows for software publishers and consumers

 

CycloneDX Supporters

Apiiro
Bloomberg
Contrast Security
Ecma International
Fortress Information Security
IBM
IonChannel
Kondukto
Lockheed Martin
NowSecure
OWASP
Rezilion
ServiceNow
Sonatype