In announcing the legislation in August, Warner said that vulnerability disclosure policies, or VDPs, “are a crucial tool used to proactively identify and address software vulnerabilities,” and that this bill would “better protect our critical infrastructure and sensitive data from potential attacks.”
What is an SBOM vulnerability disclosure report? Find out here on Energy Central.
Vulnerability Disclosure Reports are also supported within the CycloneDX and SPDX V 2.3 SBOM standards.
The CISA Secure by Design Software Acquisition Guide practices also provides detailed guidance on the use of Vulnerability Disclosure Reports, which NIST now refers to as “Vulnerability Advisory Reports” (VAR); “Ensure that third-party suppliers continuously enrich SBOM data with a VAR.” Software consumers require software suppliers to provide information on software vulnerabilities as part of Secure by Design best practices, refer to the Software Acquisition Guide for details.
An updated open-source Vulnerability Advisory Report format, following NIST SP 800-161r1-upd1 RA-5 recommendations is now available for public use under MIT open-source licensing:
SBOM VAR Schema (XML)
SBOM VAR Example (XML) (i.e. the CARFAX concept)
A JSON VAR example will also be provided shortly.
