Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Reporters that do not provide enough information to a vendor or coordinator may find their reports delayed or even rejected. Using CWE [2] or CAPEC [3] as a reference might be helpful to describe the type of vulnerability you have found and common ways to fix it the problem.

An example of a template for a vulnerability report, based on the CERT/CC's own Vulnerability Reporting Form (VRF) [4], is provided in Appendix D. Vendors that require additional information to validate reports should clearly document their specific requirements in their vulnerability disclosure policy, reporting form, or process description.


< 4.1 Discovery | 4.3 Validation and Triage >


  1. K. Price, "Writing a bug report - Attack Scenario and Impact are key!" 2 August 2015. [Online]. Available: [Accessed 17 May 2017].
  2. MITRE, "Common Weakness Enumeration (CWE)," [Online]. Available: [Accessed 17 May 2017].
  3. MITRE, "Common Attack Pattern Enumeration and Classification," [Online]. Available: [Accessed 17 May 2017].
  4. CERT/CC, "Vulnerability Reporting Form," [Online]. Available: [Accessed 17 May 2017].