Vulnerability Disclosure Report

Introduction

Vulnerability Disclosure Reports (VDR) provide a structured and standardized way to communicate known and previously unknown vulnerabilities in products and services. By leveraging the CycloneDX specification, VDRs make vulnerability data precise, actionable, and easily understood by stakeholders. These reports are versatile, serving as documentation for findings from penetration tests, internal security assessments, or bug bounty submissions. CycloneDX align with the principles of ISO/IEC 29147:2018, which outlines best practices for responsible vulnerability disclosure, and exceed its data field requirements by including additional contextual and actionable information.

Organizations can use VDRs to meet contractual obligations, such as notifying specific customers about vulnerabilities in their products or services. They also support coordinated vulnerability disclosure programs, fostering transparency and collaboration between product security teams, customers, and external researchers. By providing detailed information like affected components, severity levels, remediation recommendations, and additional metadata, VDRs streamline response efforts and enable faster, more effective vulnerability management across diverse use cases.

Highlighted fields

PropertyUsage Description
ratingsCombines metrics such as CVSS (severity) and OWASP Risk Rating (likelihood and impact) to help prioritize vulnerabilities effectively. Severity indicates the potential damage, while risk considers context, ensuring that teams focus on issues with the greatest overall threat.
detailProvides a clear description of the vulnerability, ensuring developers fully understand its nature and impact. This clarity reduces confusion and aligns all stakeholders on the scope of the issue.
recommendationOffers actionable guidance on resolving the vulnerability, such as upgrading to a specific version or applying a patch. This accelerates remediation by eliminating guesswork.
workaroundSuggests temporary measures to mitigate risk when immediate fixes are not feasible. This helps maintain system security while long-term solutions are developed.
proofOfConceptDemonstrates how the vulnerability can be exploited, adding context and urgency. By linking to detailed examples, this property helps developers validate fixes and assess potential impacts.
compositionsCompositions assert the known completeness of reported data, such as vulnerabilities. They use predefined aggregate values to clarify whether the information is full, partial, or unknown in scope.

NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations defines Vulnerability Disclosure Reports (VDR) as a best practice and recommends VDRs include:

  • Analysis and findings describing the impact (or lack thereof) that a reported vulnerability has on a component or product
  • Plans to address the vulnerability
  • Signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature
  • Publishing the VDR to a secure portal

Examples

{
  "$schema": "https://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "metadata": {
    "timestamp": "2025-01-21T12:00:00Z",
    "component": {
      "bom-ref": "internal-web-app",
      "manufacturer": {
        "name": "Acme Inc"
      },
      "type": "application",
      "name": "Internal Web App",
      "version": "2.4.1",
      "description": "This is an example and serves as the affected first-party application in this example."
    }
  },
  "compositions": [
    {
      "aggregate": "complete",
      "vulnerabilities": [ "internal-web-app" ]
    }
  ],
  "vulnerabilities": [
    {
      "id": "INT-2025-002",
      "ratings": [
        {
          "source": {
            "name": "Security Research Company"
          },
          "score": 6.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N"
        },
        {
          "source": {
            "name": "Security Research Company"
          },
          "severity": "high",
          "method": "OWASP",
          "vector": "SL:6/M:1/O:7/S:6/ED:7/EE:5/A:4/ID:8/LC:6/LI:5/LAV:5/LAC:7/FD:7/RD:5/NC:7/PV:9"
        }
      ],
      "cwes": [ 285 ],
      "description": "Authentication bypass vulnerability in the Internal Web App due to improper role validation logic.",
      "detail": "An authentication bypass vulnerability in the Internal Web App allows users with restricted roles to perform administrative actions. The issue stems from improper role validation in the application’s authentication logic, specifically within the 'verifyRole' function. When a crafted HTTP request is sent to endpoints requiring admin privileges, the system incorrectly assigns elevated access to non-admin users. This vulnerability is most impactful in instances where additional access controls are not in place, as it could lead to unauthorized changes to critical system settings, data exposure, and operational disruptions.",
      "recommendation": "Update the authentication logic to include strict role validation checks. Deploy version 2.4.2, which addresses the issue by correcting the role validation logic in the 'verifyRole' function.",
      "workaround": "Restrict access to the application by implementing IP allowlisting or disabling administrative endpoints temporarily.",
      "proofOfConcept": {
        "reproductionSteps": "1: Log in with a user account that has restricted privileges (e.g., 'viewer' role). 2: Intercept the authentication token using a proxy tool such as Burp Suite. 3: Modify the HTTP request to include the 'admin=true' parameter in the body or query string. 4: Send the modified request to an administrative endpoint, such as '/admin/settings'. 5: Observe that the response allows unauthorized access to administrative functionality.",
        "environment": "Prod and subprod",
        "supportingMaterial": [
          {
            "contentType": "image/jpeg",
            "encoding": "base64",
            "content": "/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAABAAEDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD3+iiigD//2Q=="
          }
        ]
      },
      "created": "2025-01-19T12:00:00Z",
      "published": "2025-01-19T12:00:00Z",
      "updated": "2025-01-21T12:00:00Z",
      "credits": {
        "organizations": [
          {
            "name": "Security Research Company",
            "url": [ "https://example.com/" ]
          }
        ],
        "individuals": [
          {
            "name": "James T. Vidal",
            "email": "[email protected]"
          }
        ]
      },
      "analysis": {
        "state": "exploitable"
      },
      "affects": [
        {
          "ref": "internal-web-app",
          "versions": [
            {
              "version": "2.4.1",
              "status": "affected"
            }
          ]
        }
      ]
    }
  ]
}