The vulnerability disclosure document is also often referred to as a "security advisory," particularly if published by the vendor.

This is an example of a vulnerability disclosure document based on CERT/CC's Vulnerability Notes format. It is not meant to be exhaustive of all scenarios.

Please modify the sections and format as necessary to better suit your needs.

Vulnerability Disclosure Document

Overview

  • Brief Vulnerability Description: (try to keep it to 1-2 sentences)

Vulnerability ID

  • CVE ID for this Vulnerability:

  • Any other IDs (vendor tracking ID, bug tracker ID, CERT ID, etc.):

Description

  • Software/Product(s) containing the vulnerability:
  • Version number of vulnerable software/product:
  • Product Vendor:

  • Type of Vulnerability, if known: (see MITRE's CWE site for list of common types of vulnerabilities)

  • Vulnerability Description:
  • How may an attacker exploit this vulnerability? (Proof of Concept):

Impact

  • What is the impact of exploiting this vulnerability? (What does an attacker gain that the attacker didn't have before?)

CVSS Score

  • CVSS:3.0/AV:?/AC:?/PR:?/UI:?/S:?/C:?/I:?/A:? – 0.0 (LOW/MEDIUM/HIGH/CRITICAL)

  • Provide the full CVSS vector, not only the score. If possible, provide guidance on the temporal and environmental metrics, not only the base metrics. See https://www.first.org/cvss/.

Resolution

  • Version containing the fix:
  • URL or contact information to obtain the fix:
  • Alternately, if no fix is available, list workaround or mitigation advice below:

Reporter

This vulnerability was reported/discovered by _____________.

Author and/or Contact Info

For more information or questions, please contact:

  • Name:
  • Organization:
  • Email:
  • PGP Public Key (ASCII Armored or a URL):

Disclosure Timeline

  • Date of First Vendor Contact Attempt:
  • Date of Vendor Response:
  • Date of Patch Release:
  • Disclosure Date:

(List more dates here as necessary to document your communication attempts.)


< Appendix C – Sample Vulnerability Report Form | Appendix E – Disclosure Policy Templates >

References

(List reference URLs here: for example, vendor advisory, other disclosures, and links to advice on mitigating problems.)

  • No labels

CMU/SEI-2017-SR-022 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
Distribution Statement A: Approved for Public Release; Distribution is Unlimited