Open Source - Common Findings DataBase (JSON & MD)
Clone or download

Branch Status
Master Build Status Maintainability License HitCount
Development Build StatusLicense HitCount

OS-CFDB: Open Source - Common Findings Data Base

This project aims to provide a single source of common findings seen on Web/Application, Network, and Red Team assessments. While this project is scalable, it may not cover every single scenario applicable to your needs or reporting SOP (Standard Operating Procedures).

Please understand that this is Open Source project that is driven by community feedback. If you do not contribute, who will? Please take the time to correct, update, or even make a pull request when you are feeling up to the task.

Table of Contents


Too often in prior experience reporting was repetitive, inaccurate and time loss incurred during the phase of the assessment. These constraints were due to lack of a centralized repository for findings, a single source of truth. However, this can raise a greater question of how we can integrate into automation. Moving forward this project hopes to help small, over-tasked, and startups produce valuable data for clients and their organizations they support.

How to Interpret the Data

The data within this project is broken out into multiple headers and lists; this allows for easy data serialization to JSON or other future formats as long as an MD parser exists. You will find three major sections:

  • Finding Details
  • Technical Information
  • Finding Metadata

Each major section contains multiple sub-sections to help automate and use canned vocabulary.

Finding Details

Contains the common data types that may be needed to include in reporting metadata and allow for toolset integration.

  • Title - The title of the finding
  • VSR - Vulnerability Severity Rating - Custom developed default rating to place a finding
  • CVSS - Applied score that depicts a translation from VSR to CVSS
  • Risk - The commonly applied label of the finding
  • Service - Descriptor of how a finding denoted identification
  • NIST 800-53 - Specific correlating controls to finding
  • MITRE ATT&CK - Linked tactics that may relate to the finding for further risk analysis
  • References - Curated list of sources that should be used during reporting

Technical Information

  • Description - The technical overview of a finding, this is not meant to be all-inclusive.
  • Impact - A section of a how the result will affect an organization.
  • Recommendation(s) - Current plan of action to impment.

Finding Metadata

  • Author(s) - List of people that worked on a finding.
  • Source(s) - Sources the author used for research of a finding.
  • Created - Time and date of creation.
  • Updated - time and date of an update to a finding.

How the Data is Supplied

  • JSON - Will allow for serializable data structures or integration into many other solutions. -- CURRENTLY UNDER DEVLOPMENT
  • MD - MarkDown is a way to display structured text and allow readers to view the findings quickly.

Finding Classification and Scoring

Each finding is provided a Default Vulnerability Severity Rating (VSR) & a correlated Common Vulnerability Scoring System (CVSS) identifier.

Vulnerability Severity Rating Common Vulnerability Scoring System (CVSS) Vulnerability Severity Evaluation Criteria
Level 5 8.0 – 10.0 Finding may allow an attacker to gain remote execution as a privileged or unprivileged user that exposes sensitive data, or allows read/write of a remote system. This may allow an attacker to execute code, change or read sensitive data and break all confidentiality, integrity or accountability of the affected system.
Level 4 6.0 – 7.9 The finding may allow an attacker to gain read-only, denial or resources or under certain conditions, the exploitability allows user-mode code execution.
Level 3 4.0 – 5.9 The finding may allow an attacker to manipulate or abuse application functionality, denial of service or partial read-only access to application data in a constrained environment.
Level 2 2.0 – 3.9 The finding may allow an attacker to obtain sensitive information about a system, internal network, or other identifying data that could lead to further compromise.
Level 1 0.0 -1.9 The finding may allow an attacker to gather vague system information. This often occurs to do best practices not being properly implemented.

Finding ID Matrix

Each finding has a provided OS-CFDB ID to provide a Unique ID to each finding:

Finding Platform ID Prefix
Windows OS-CFDB-1***
MacOS OS-CFDB-2***
Linux OS-CFDB-3***
Andriod OS-CFDB-4***
Web OS-CFDB-6***
Phishing OS-CFDB-7***

Current Finding Tree