Add Q4 2025 Vulnerability Disclosures WG Update#542
Open
Add Q4 2025 Vulnerability Disclosures WG Update#542
Conversation
This document provides an update on the activities and discussions of the Vulnerability Disclosures Working Group for Q4 2025, including proposals for standardizing vulnerability reporting and addressing challenges in the CVE program. Signed-off-by: Madison Oliver <taladrane@github.com>
marcelamelara
added
the
TI Update
lehors
reviewed
Nov 11, 2025
Comment on lines
+22
to
+34
| - Extensive discussions have taken place regarding the necessity and alignment of a VDR standard with existing frameworks like FedRAMP. | ||
| - The working group has validated the belief that users struggle with CPE identifiers and need a product-centric view of vulnerabilities. | ||
| - Key requirements for a successful VDR standard have been established, including machine-readable format, API accessibility, familiar product naming, and compliance with various standards (NIST SP 800-161r1 RA-5, FedRAMP). | ||
| - Existing VDR solutions from vendors like Cisco have been reviewed, highlighting the need for a standardized, easily parsable format. | ||
| - Motivation for adoption has been discussed, with potential drivers identified in the energy industry and cyber insurance sector. | ||
| - The distinction between VEX (vulnerability-centric) and VDR (product-centric) has been clarified. | ||
|
|
||
| **Up Next (Next 4–8 Weeks):** | ||
|
|
||
| 1. TAC vote for this initiative is open: https://github.com/ossf/tac/issues/530 | ||
| 2. Further exploration of aligning VDR efforts with SBOM standards. | ||
| 3. Continued discussion on how OSV.dev could support exporting data in a newly defined VDR format. | ||
| 4. Investigate how CycloneDX can support "clean" VDRs (reports with zero known vulnerabilities). |
Contributor
There was a problem hiding this comment.
This section is now unfortunately out of date given that issue #530 was discussed by the TAC and the request for funding was turned down based on the existence of the CycloneDX VDR format and the desire to engage with that community rather than creating a competing format.
Contributor
There was a problem hiding this comment.
+1 we may want to update this section before we merge
gkunz
approved these changes
Nov 11, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This document provides an update on the activities and discussions of the Vulnerability Disclosures Working Group for Q4 2025, including proposals for standardizing vulnerability reporting and addressing challenges in the CVE program.