Appendix C - Sample Vulnerability Report Form*
This is a vulnerability report, typically sent from a reporter to a vendor. These reports may also be shared among other third parties, by the reporter, the vendor, or a coordinator.
This is a report example based on the CERT/CC's Vulnerability Reporting Form , and is not meant to be exhaustive of all possibilities. Please modify the sections and format as necessary to better suit your needs.
The information below should be handled as (choose one):
<span style="color: #ff0033">TLP:RED</span> / <span style="color: #ffc000">TLP:AMBER</span> / <span style="color: #33ff00">TLP:GREEN</span> / <span style="color: #ffffff">TLP: WHITE</span>
- Software/Product(s) containing the vulnerability:
- Vulnerability Description:
- How may an attacker exploit this vulnerability? (Proof of Concept):
- What is the impact of exploiting this vulnerability? (What does an attacker gain that the attacker didn't have before?)
- How did you find the vulnerability? (Be specific about tools and versions you used.)
- When did you find the vulnerability?
- I have already reported this vulnerability to the following vendors and organizations:
- Is this vulnerability being publicly discussed? YES/NO, if yes then provide URL.
- Is there evidence that this vulnerability is being actively exploited? YES/NO, if yes, then provide URL/evidence.
- I plan to publicly disclose this vulnerability...
- on this date: (Please include your time zone.)
- at this URL:
- PGP Public Key (ASCII Armored or a URL):
- May we provide your contact information to third parties? YES/NO
- Do you want to be publicly acknowledged in a disclosure? YES/NO
- Vendor Tracking ID, CERT Tracking ID, or CVE ID if known:
- Additional Comments: