Vulnerability Disclosure Report (VDR)
Communicate known and unknown vulnerabilities affecting components and services
Software Bill of Materials
Software-as-a-Service BOM
Vulnerability Exploitability Exchange
Hardware Bill of Materials
Operations Bill of Materials
Vulnerability Disclosure Report
Javascript Object Notation
Extensible Markup Language
Protocol Buffers
Known vulnerabilities inherited from the use of third-party and open source software can be communicated with CycloneDX. Previously unknown vulnerabilities affecting both components and services may also be disclosed using CycloneDX, making it ideal for Vulnerability Disclosure Report (VDR) use cases.
NIST SP 800-161: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations defines Vulnerability Disclosure Reports (VDR) as a best practice and recommends VDRs include:
- Analysis and findings describing the impact (or lack thereof) that a reported vulnerability has on a component or product
- Plans to address the vulnerability
- Signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature
- Publishing the VDR to a secure portal
CycloneDX exceeds the data field requirements defined in ISO/IEC 29147:2018 for vulnerability disclosure information and provides a simple path for including Vulnerability Exploitability eXchange (VEX) information.
Independent BOM and VDR BOM
CycloneDX fully supports all NIST recommendations for VDR including:
- Optional analysis of the impact of each reported vulnerability against a component, service, or product
- Plans to address the vulnerability
- Enveloped signatures using XML Signature or JSON Signature Format, or detached signatures
- Publishing to a security portal via the CycloneDX BOM Exchange API which is implemented in the CycloneDX BOM Repository Server
With CycloneDX, it is possible to reference a component, service, or vulnerability inside a BOM from other systems or other BOMs. This deep-linking capability is referred to as BOM-Link and is a formally registered URN.
Learn more about how CycloneDX makes use of BOM-Link.
CycloneDX VDR BOMs can also be used with alternative SBOM formats such as SPDX, but without the tight integration or support of an IETF standard for linkage. Vendor support may vary.
BOM With Embedded VDR
CycloneDX also supports embedding VDR information inside a BOM, thus having a single artifact that describes both inventory and VDR data. There are several uses for embedding VDR data including:
- Audit use cases where inventory and vulnerability data need to be captured at a specific point in time
- Automated security tools may opt to create a single BOM with embedded vulnerability or VDR data for convenience and portability
High-Level Object Model
Examples
BOMs demonstrating VDR capabilities can be found at https://github.com/CycloneDX/bom-examples
