Appendix C - Sample Vulnerability Report Form*
This is a vulnerability report, typically sent from a reporter to a vendor. These reports may also be shared among other third parties, by the reporter, the vendor, or a coordinator.
This is a report example based on the CERT/CC's Vulnerability Reporting Form \[79\], and is not meant to be exhaustive of all possibilities. Please modify the sections and format as necessary to better suit your needs.
*Vulnerability Report*
The information below should be handled as (choose one): 
<span style="color: #ff0033">TLP:RED</span> / <span style="color: #ffc000">TLP:AMBER</span> / <span style="color: #33ff00">TLP:GREEN</span> / <span style="color: #ffffff">TLP: WHITE</span>
*Vulnerability*

• Software/Product(s) containing the vulnerability:
• Vulnerability Description:
• How may an attacker exploit this vulnerability? (Proof of Concept):
• What is the impact of exploiting this vulnerability? (What does an attacker gain that the attacker didn't have before?)
• How did you find the vulnerability? (Be specific about tools and versions you used.)
• When did you find the vulnerability?

Disclosure Plans

• I have already reported this vulnerability to the following vendors and organizations:
• Is this vulnerability being publicly discussed? YES/NO, if yes then provide URL.
• Is there evidence that this vulnerability is being actively exploited? YES/NO, if yes, then provide URL/evidence.
• I plan to publicly disclose this vulnerability...
• on this date: (Please include your time zone.)
• at this URL:

Reporter

• Name:
• Organization:
• Email:
• PGP Public Key (ASCII Armored or a URL):
• Telephone:
• May we provide your contact information to third parties? YES/NO
• Do you want to be publicly acknowledged in a disclosure? YES/NO

Additional Information

• Vendor Tracking ID, CERT Tracking ID, or CVE ID if known:
• Additional Comments: