The vulnerability reporting standard should specify a machine-readable standard for reporting found vulnerabilities and security threats to clients. The intention of this is that if you order a pentest, red teaming, config review, etc. that it is reported in a machine-readable standardized format. This should allow the organization receiving the report to ingest all the reported findings into an application of the organisation's choice.
Vulnerability Scanners all have a slightly different way of reporting vulnerabilities. Therefore, it would be beneficial to a company who need to manage all vulnerabilities to have a standard format like the one described below:
| UUID | ReportingDate | Systems | Title | Description | Risk | CVES | MitigationAdvisory | SecurityScore | PublicExploit | Reference |
|---|---|---|---|---|---|---|---|---|---|---|
Unique ID to identify the security flaw. Should be unique and may not be suitable to be taken over from the reporting entity.
example: OC1234567890
Date the security flaw was found in the audited scope.
example: 20230725
List all Systems affected by the security flaw in the audited scope. List them as FQDNs or IPs (do not list IP and FQDN of the same system, as it is anpunnecessary duplicate, do list multiple network interfaces on the same system)
example: ip:192.168.1.1:52 fqdn:test.local.com:80
Descriptive Title of the security flaw. It should explain as much as possible in one line.
example: Weak Password found
Detailed Description of the security flaw and how it was found. Include reproducible steps.
example: In a file at \server\location\text.txt there was a password which was weak.
Describe the Risk to the system. What is the impact of a security flaw on the confidentiality, integrity or availability.
example: An adversary may compromise the system and take over control
Include all known CVE's this Risk has. List all CVE's that are filed for this security flaw.
example: CSV-2023-00
Give a comprehensive guidance on how to remediate, patch or avoid the security flaw. If possible, be specific and avoid general recommendations. If there are multiple possibilities, give as many as suitable and advise which one is the more secure solution.
example: Install Microsoft patch KB1234567 see details in: https://support.microsoft.com/en-us/topic/patchnotes
Specify which security metric you are using. To each security type, specify a score in Security Score. If you use public scoring system, adhere tho their values.
example: CSV3:8.3 OSSTMM3:exposure
List public exploits. Each public exploit should be rated on difficulty of exploit. Suggested choices are simple (1), low (2), medium (3), high (4), hard (5)
example: low:https://github.com/exploit medium:https://github.com/exploit2
Add any references or referencing material.
example: https://url.test.com
CSV example: https://github.com/pvtUnitfueler/VulnerabilityReportingStandard/blob/main/VRS.csv
JSON example: https://github.com/pvtUnitfueler/VulnerabilityReportingStandard/blob/main/VRS.json
XML example: https://github.com/pvtUnitfueler/VulnerabilityReportingStandard/blob/main/VRS.xml
https://github.com/pvtUnitfueler/VulnerabilityReportingStandard/blob/main/vrs_csv2json.py
https://github.com/pvtUnitfueler/VulnerabilityReportingStandard/blob/main/vrs_json2xml.py
TODO
Please leave a comment or suggestion as an issue, suggest a change by merge or issue.