Security Advisories and Vulnerability Advisory Report (formelry Vulnerability Disclosure Reports)

[rjb4standards]

Two types of machine readable vulnerability reporting have been used extensively to communicate with customers with affected products.

1. Secure Advisories - following CSAF profile 4 Security Advisory profile is vulnerability centric reporting on a specif vulnerability and affected products
2. Vulnerability Disclosure Reports (NIST Guidance in SP 800-161r1) now renamed Vulnerability Advisory Report (VAR) reporting on the vulnerability status of a specific product, typically at the SBOM component level. Two machine readable VDR/VAR formats are available:

• Implicit, only listing SBOM components with reported vulnerabilities in a product
• Explicit - lists each SBOM component with its vulnerability status including those with no vulnerabilities reported serving as an attestation by a supplier of their vulnerability monitoring activities per product

Both implicit and explicit options of VDR/VAR have open source, free to use machine readable formats available for use that follow NIST SP 800-161r1 RA5 data requirements

[mrybczyn]

We are aware of those standards, of course. What do you suggest? Adding them explicitly in the specification?

[rjb4standards]

@mrybczyn Some people may find references to actual VDR format/schema templates a useful aid to understanding:
CycloneDX: https://raw.githubusercontent.com/CycloneDX/specification/refs/heads/master/schema/bom-1.6.xsd
Open Source NIST VDR format from BCG: https://raw.githubusercontent.com/rjb4standards/REA-Products/refs/heads/master/SAGVulnDisclosure-V212.xsd