Versions Compared

Old Version 6

changes.mady.by.user user-f8986

Saved on

compared with

New Version 7

changes.mady.by.user user-5e993

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Reporters that do not provide enough information to a vendor or coordinator may find their reports delayed or even rejected. Using CWE [2] or CAPEC [3] as a reference might be helpful to describe the type of vulnerability you have found and common ways to fix it the problem.

An example of a template for a vulnerability report, based on the CERT/CC's own Vulnerability Reporting Form (VRF) [4], is provided in Appendix D. Vendors that require additional information to validate reports should clearly document their specific requirements in their vulnerability disclosure policy, reporting form, or process description.



Panel
borderStylesolid

< 4.1 Discovery | 4.3 Validation and Triage >


References

  1. K. Price, "Writing a bug report - Attack Scenario and Impact are key!" 2 August 2015. [Online]. Available: https://forum.bugcrowd.com/t/writing-a-bug-report-attack-scenario-and-impact-are-key/640. [Accessed 17 May 2017].
  2. MITRE, "Common Weakness Enumeration (CWE)," [Online]. Available: https://cwe.mitre.org/. [Accessed 17 May 2017].
  3. MITRE, "Common Attack Pattern Enumeration and Classification," [Online]. Available: https://capec.mitre.org/. [Accessed 17 May 2017].
  4. CERT/CC, "Vulnerability Reporting Form," [Online]. Available: https://vulcoord.cert.org/VulReport/. [Accessed 17 May 2017].