The vulnerability disclosure document is also often referred to as a "security advisory," particularly if published by the vendor.
This is an example of a vulnerability disclosure document based on CERT/CC's Vulnerability Notes format. It is not meant to be exhaustive of all scenarios.
Please modify the sections and format as necessary to better suit your needs.
Vulnerability Disclosure Document
- Brief Vulnerability Description: (try to keep it to 1-2 sentences)
CVE ID for this Vulnerability:
- Any other IDs (vendor tracking ID, bug tracker ID, CERT ID, etc.):
- Software/Product(s) containing the vulnerability:
- Version number of vulnerable software/product:
- Product Vendor:
Type of Vulnerability, if known: (see MITRE's CWE site for list of common types of vulnerabilities)
- Vulnerability Description:
- How may an attacker exploit this vulnerability? (Proof of Concept):
- What is the impact of exploiting this vulnerability? (What does an attacker gain that the attacker didn't have before?)
- CVSS:3.0/AV:?/AC:?/PR:?/UI:?/S:?/C:?/I:?/A:? – 0.0 (LOW/MEDIUM/HIGH/CRITICAL)
Provide the full CVSS vector, not only the score. If possible, provide guidance on the temporal and environmental metrics, not only the base metrics. See https://www.first.org/cvss/.
- Version containing the fix:
- URL or contact information to obtain the fix:
- Alternately, if no fix is available, list workaround or mitigation advice below:
This vulnerability was reported/discovered by _____________.
Author and/or Contact Info
For more information or questions, please contact:
- PGP Public Key (ASCII Armored or a URL):
- Date of First Vendor Contact Attempt:
- Date of Vendor Response:
- Date of Patch Release:
- Disclosure Date:
(List more dates here as necessary to document your communication attempts.)
(List reference URLs here: for example, vendor advisory, other disclosures, and links to advice on mitigating problems.)