No more mention of VDR in latest version of NIST SP 800-161

[jbmaillet]

Re-reading @stevespringett article on the OWASP website (https://owasp.org/blog/2023/02/07/vdr-vex-comparison), and searching for the authoritative reference regarding VDR, I noticed that the NIST SP 800-161, originally from 2015, have been superseded:
https://csrc.nist.gov/pubs/sp/800/161/r1/final

The new revision can be found here, published in May 2022, so after @stevespringett article, but including updates as of 11-01-2024 (sic):
https://csrc.nist.gov/pubs/sp/800/161/r1/upd1/final
...and in this document, all reference to VDR disappeared. The revision history at the end does not specifically mention this change. I have no idea of the motivations behind this (unfortunate IMHO) removal. I must still have the original SP in my archive, I'll try to dig deeper in the section modified. On a higher level the update of this SP as a whole seem to be coming from the EO 14028.

Whatever the reason, as of today, at least this mention of this NIST SP is out of date in the CDX project:
https://github.com/CycloneDX/bom-examples/blob/master/VDR/README.md#distinction-between-vulnerability-disclosure-report-vdr-and-vulnerability-exploitability-exchange-vex

Note that I do not consider that this makes the VDR concept obsolete. Just that the NIST can't be referred to, except for historical purposes.

[jkowalleck]

@jbmaillet, feel free to open a pull request with the needed modifications, if you like 👍

[stevespringett]

I believe VDR has been rebranded by NIST as VAR (vulnerability advisory report) and this is indicated on our website. But VDR remains the focus because that's the term people are accustomed to using.

https://csrc.nist.gov/glossary/term/vulnerability_advisory_report

There's also Vulnerability Report, also mentioned in 161r1.

https://csrc.nist.gov/glossary/term/vulnerability_report

[jbmaillet]

@stevespringett thanks for the clarification.

And so for the completeness of references:

In the original NIST SP 800-161r1 from 2022, VDR where defined in section RA-5 VULNERABILITY MONITORING AND SCANNING, page 131.
https://csrc.nist.gov/pubs/sp/800/161/r1/final

Enterprises, where applicable and appropriate, may consider providing customers with a Vulnerability Disclosure Report (VDR) to demonstrate proper and complete vulnerability assessments for components listed in SBOMs. The VDR should include the analysis and findings describing the impact (or lack of impact) that the reported vulnerability has on a component or product. The VDR should also contain information on plans to address the CVE. Enterprises should consider publishing the VDR within a secure portal available to customers and signing the VDR with a trusted, verifiable, private key that includes a timestamp indicating the date and time of the VDR signature and associated VDR. Enterprises should also consider establishing a separate notification channel for customers in cases where vulnerabilities arise that are not disclosed in the VDR. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

As of 2024 in NIST SP 800-161r1-upd1 aka 161 revision 1 update 1:
https://csrc.nist.gov/pubs/sp/800/161/r1/upd1/final
No more mention of VDR, Vulnerability advisory report (VAR) is instead defined in the same section RA-5 VULNERABILITY MONITORING AND SCANNING, now page 134, after the mention of vulnerability reports, emphasis mine:

Technology providers may consider maintaining processes to receive, investigate, track, and respond to vulnerability reports that are received from vulnerability reporters (e.g., security researchers). Per [ ISO/IEC 29147], a vulnerability report includes elements such as product name, affected version, classification, root cause, proof of concept, steps for reproduction, impact, and severity. Upon the receipt of a vulnerability report, providers should verify the vulnerability, develop and test a remediation, securely disclose and release the remediation to customers and/or the general public as a vulnerability advisory report (VAR). Per [ISO/IEC 29147] , the elements of a VAR include an identifier, date/time, title, overview, list of affected products, description of intended audience, description of the vulnerability, impact, severity, remediation, references, discovery credit, contact information, revision history, and/or terms of use. While not required, it is good practice to ensure the machine readability of the VAR. In addition, Section 4E of Appendix F on Executive Order 14028, Improving the Nation’s Cybersecurity, provides guidance on attestation to cybersecurity practices. Practices that have not been attested to may be vulnerabilities that need to be monitored. Enterprises should require their prime contractors to implement this control and flow down this requirement to relevant sub-tier contractors. Departments and agencies should refer to Appendix F to implement this guidance in accordance with Executive Order 14028, Improving the Nation’s Cybersecurity.

A shorter definition is also given in Appendix H. Glossary page 298, with the definition of vulnerability advisory report and by contrast of vulnerability report (not advisory) for short. Full quotes:

vulnerability advisory report: Publication by a technology developer and/or provider to customers or the general public that describes a vulnerability with a focus on remediation and mitigation. [ISOIEC29147, adapted]
vulnerability report: Notification received by a technology developer and/or provider from a vulnerability reporter, which may include a description of what product or service is affected, how the potential vulnerability can be identified, demonstrated, or reproduced, and what type of functional impact the vulnerability allows. [ISOIEC29147, adapted]

(I think I understand the intention. As for me I would not say that this was needed, rather that it is another layer of icing on the cake of the VDR/VEX/and now VAR mess.)