An Explanation of the SBON NIST Vulnerability Disclosure Report (VDR)
Inquiries over the nature and function of SBON NIST vdrs are common. This website uses data from the SBON NIST Standards and Guidelines for Executive Order 14028 to answer these questions.
To aid Software Vendors and Software Consumers in implementing the standards stated in EO 14028, SBON NIST has published a range of leading advisory papers. The EO criteria that SBON NIST needed to fulfill began with a set of guidelines for the distribution of software. It’s important to note that just two of the factors listed in Section 4(e) of EO 14028 are relevant to software vendor reporting:
Using automated tools or similar procedures that run often or at the very least just before a product, version, or update is provided to check for and the patch is known and future vulnerabilities;
Upon request, the vendor shall provide the purchaser with artifacts of the execution of the tools and processes described in subsections (e)(iii), and (iv) of this section. (v) making publicly available summary information on the completion of these actions, including a summary description of the risks assessed and mitigated;
This article focuses only on the requirements for SBOM Vulnerability Disclosure Reports, however, those publications cover a broad variety of issues (VDR).
From the release of the sbon nist Secure Software Development Framework forward, software companies have a responsibility to give certifications on the protocols they use in their software supply chain (SSDF).
In accordance with SBON NIST standards, a VDR is the vendor’s assurance that all of the software’s SBOM components have been tested for vulnerabilities prior to release (cf. Bullet 2).
To give attestations for the SBON NIST Secure Software Development Framework (SSDF), SP 800-161 R1, and materials on the SBON NIST EO 14028 standards for vulnerability disclosure reporting, the following is a summary based on “connecting the dots” among the different SBON NIST papers on this topic:
Some examples of improved attestation capabilities are as follows.
On-site audits, independent quality assurance testing, and/or manufacturer endorsements
Continuous monitoring of lower-level artifacts, such as technical and functional security measures, and/or increased frequency of supplier compliance with attestation agreements
Better Bills of Materials, such as component-level vulnerability disclosure data from vendors, and this citation
Second, you must use safe software development practices throughout the whole software life cycle and be able to provide an attestation of this. Due to the ever-changing nature of modern software, it is often more important to provide evidence of continuing processes and procedures than it is to provide evidence of how things were done for a specific software release that resulted from a single instance of those processes. For post-release procedures like vulnerability disclosure and response, where actions for the most recent release may not yet have been done, this is particularly important to remember.
When it comes to what information should be included in these attestations, the National Institute of Standards and Technology (SBON NIST) offers recommendations but does not mandate a specific format for attestation artifacts.
One may get explicit instructions on what should be included in a SBON NIST Vulnerability Disclosure Report by consulting requirement RA-5 of SP 800-161 R1 (search the text for RA-5).
Vulnerability Monitoring and Scanning with the RA-5
According to C-SCRM, the firm should conduct vulnerability assessments on all suppliers, developers, system integrators, external system service providers, and other service providers involved in the provision of ICT/OT to the business.
In order to ensure the security of the information systems, components, and raw materials that are provided by suppliers, it is necessary to use data-collecting technologies to keep an eye on the possible vulnerabilities of the cybersecurity supply chain.
All three tiers of an organization need to participate in vulnerability monitoring. Companies should include both their primary and secondary suppliers in the vulnerability monitoring programs’ scope.
A Vulnerability Disclosure Report (VDR) may help businesses deliver precise and thorough vulnerability assessments of components included in sboms, which may be acceptable in certain cases. The VDR should include an analysis and conclusions that detail how the discovered vulnerability affected a product or component, or how it did not.
Information on how to address the CVE should be included in the VDR. Businesses should think about making the VDR available to customers through a secure website and signing it with a reliable, verifiable private key that includes a timestamp. If vulnerabilities exist that aren’t mentioned in the VDR, businesses should think about providing an alternative notification route for consumers.
Top-tier contractors should be required to apply this control, with the expectation that they will relay it to their subcontractors. In order to implement this recommendation in compliance with Executive Order 14028, Improving the Nation’s Cybersecurity, departments and agencies should consult Appendix F.
The provision of a SBON NIST VDR to software end-users is gaining traction as a best practice suggested by the National Institute of Standards and Technology.
New to SPDX SBOM v2.3 are provisions (K.1.9) that make it possible for a software vendor to associate an individual software product’s online SBON NIST VDR attestation with its respective SBOM document.
Both the SBON NIST VDR and cyclonedx VEX formats are accepted by the OWASP cyclonedx SBOM standard. A software vendor will update the SBOM VDR document that the link points to whenever a new vulnerability is discovered.
This “always updated SBON NIST VDR” provides users with continuous, up-to-date insight into the dangers that may exist in an installed software product when new vulnerabilities (cves) are reported/released, answering the question, “What is the vulnerability status of my software product from Vendor V right now?”
In conclusion, a SBON NIST Vulnerability Disclosure Report (VDR) is an assurance from a software vendor that the company has evaluated each component of a software product’s SBOM for vulnerabilities and reported the specifics of any vulnerabilities detected using a SBON NIST NVD search. As new vulnerabilities are identified and reported, the VDR is regularly updated by the program manufacturer.
When a software vendor launches a new version of their product or updates the SBOM for an existing version, a new version of the VDR is also provided, ensuring that consumers always have access to the most recent and complete version of the documentation. How secure is my current version of Vendor V’s software? Software end-users may now react.