Skip to content

Commit 92eaa75

Browse files
stevespringettstevespringett
committed
Updated table and description
1 parent caf3c16 commit 92eaa75

File tree

1 file changed

+18
-17
lines changed

1 file changed

+18
-17
lines changed

VDR/README.md

+18-17
Original file line numberDiff line numberDiff line change
@@ -14,23 +14,24 @@ defines Vulnerability Disclosure Reports (VDR) as a best practice and recommends
1414

1515
## Distinction between Vulnerability Disclosure Report (VDR) and Vulnerability Exploitability eXchange (VEX)
1616

17-
| | VDR | VEX |
18-
|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
19-
| __Scope__ | Product or dependencies (components and services) | Product, product family, or entire organization |
20-
| __Expectation__ | Asserts all vulnerabilities affecting a product, component or service | Negative security advisory intended to state all vulnerabilities a product is not affected by |
21-
| __Vulnerability types__ | Known and previously unknown vulnerabilities | Known vulnerabilities |
22-
| __Analysis decision__ | Describes impact of the vulnerability (if any), vendor response, and expectations | Describes impact of the vulnerability (if any), vendor response, and expectations |
23-
| __Publish lifecycle__ | <li>Published alongside SBOM</li><li>Continuously updated when new vulnerabilities affecting the product are discovered or when analysis decisions are updated</li> | <li>Published alongside SBOM (except CSAF)</li><li>Continuously updated when new vulnerabilities are published or when analysis decisions are updated</li> |
24-
| __Agency support__ | [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final) recommendation | CISA (pseudo specification) |
25-
| __Vendor investment__ | Moderate | High |
26-
| __Consumer investment__ | Low | High |
27-
| __Limitations__ | Overarching statements (e.g. entire organization) are not permitted | Cannot describe previously unknown vulnerabilities affecting products or dependencies (components and services) |
28-
| __Formats and standards__ | CycloneDX, SAG-PM VDR | CycloneDX, CSAF |
29-
| __Additional requirements__ | <li>SBOM and VDR must both be imported by consumer</li><li>SBOM and VDR analysis is optional</li> | <li>SBOM and VEX must both be imported and analyzed by consumer.</li><li>Both vendor and consumer must either: <ol><li>Use the same sources of vulnerability intelligence</li><li>or agree on a least common denominator (NVD) thus limiting the breadth and accuracy of vulnerability intelligence</li></ol></li> |
30-
| __Risk transparency__ | Communicates risk and modified severity (CVSS temporal and environmental metrics, OWASP risk rating, etc) as it relates to the product | Does not communicate risk or modified severity |
31-
| __Attestation support__ | VDR is an attestation that the vendor has checked product dependencies for vulnerabilities and has communicated them | VEX is an attestation of what vulnerabilities do not affect a product, and optionally, the ones that do. VEX does not require vendor to check product dependencies for vulnerabilities, or communicate them |
32-
| __Tool availability__ | Widespread | Limited |
33-
| __Results__ | Consumers have a clear understanding of the vulnerabilities affecting a product and the vulnerabilities that do not | Consumers have a clear understanding of the vulnerabilities affecting a product and the vulnerabilities that do not |
17+
Below is a brief comparison between VDR and VEX.
18+
19+
| | VDR | VEX |
20+
|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
21+
| __Scope__ | Product or dependencies (components and services) | Product, product family, or entire organization |
22+
| __Expectation__ | Asserts all vulnerabilities affecting a product, component or service | Negative security advisory intended to state all vulnerabilities a product is not affected by |
23+
| __Vulnerability types__ | Known and previously unknown vulnerabilities | Known vulnerabilities |
24+
| __Analysis decision__ | Describes the impact of the vulnerability (if any), vendor response, and expectations | Describes the impact of the vulnerability (if any), vendor response, and expectations |
25+
| __Publish lifecycle__ | &bull;&nbsp;Published alongside SBOM<br/>&bull;&nbsp;Continuously updated when new vulnerabilities <u>affecting the product</u> are discovered or when analysis decisions are updated | &bull;&nbsp;Published alongside SBOM (except CSAF)<br/>&bull;&nbsp;Continuously updated when new vulnerabilities are published or when analysis decisions are updated |
26+
| __Agency support__ | [NIST SP 800-161](https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final) recommendation | CISA (pseudo specification) |
27+
| __Limitations__ | Overarching statements (e.g. entire organization) are not permitted | Cannot describe vulnerabilities that do not already have an identifier (e.g. previously unknown vulnerabilities) |
28+
| __Formats and standards__ | CycloneDX, SAG-PM VDR | CycloneDX, CSAF, OpenVEX (in development) |
29+
| __Risk transparency__ | Communicates risk and modified severity (CVSS temporal and environmental metrics, OWASP risk rating, etc) as it relates to the product | Does not communicate risk or modified severity |
30+
| __Attestation support__ | VDR is an attestation that the vendor has checked product dependencies for vulnerabilities and has communicated them | VEX is an attestation of what vulnerabilities do not affect a product, and optionally, the ones that do. VEX does not require a vendor to check product dependencies for vulnerabilities, or communicate them |
31+
| __Tool availability__ | Widespread | Limited |
32+
| __Results__ | Consumers have a clear understanding of the vulnerabilities affecting a product and the vulnerabilities that do not | Consumers have a clear understanding of the vulnerabilities affecting a product and the vulnerabilities that do not |
33+
34+
For an in-depth comparison between VDR and VEX, refer to [Vulnerability and Exploitability Transparency - VDR & VEX](https://owasp.org/blog/2023/02/07/vdr-vex-comparison)
3435

3536
## Independent BOM and VDR
3637
Inventory described in a BOM (SBOM, SaaSBOM, etc) will typically remain static until such time the inventory changes.

0 commit comments

Comments
 (0)