This is a template for a typical vulnerability disclosure from AHA!. This template is licensed under a Creative Commons Attribution 4.0 International License – if you’re writing disclosures for public distribution, please use it!
CVE-20XX-YYYY: $VENDOR $PRODUCT $PROBLEM
Here’s the preamble where you tell the reader what you’re going to tell them.
AHA! has discovered an issue with $PRODUCT from $VENDOR, and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on $DATE. CVE-20XX-YYYY has been assigned to this issue.
Any questions about this disclosure should be directed to [email protected].
Executive Summary
Create a short description of the problem, not getting into too much detail, but suitable for a normal CVE description. You MUST include the name of the vendor, the name of the product, the tested version, and the CWE identifier. If you can’t figure out a basic CWE identifier, maybe this isn’t a vulnerability! Guesses on CWEs are totally okay.
Technical Details
This is the guts of the vulnerability, including a mechanism to exploit
it. Be as detailed as you care to be, with a goal of teaching a penetration
tester how to actually leverage the vulnerability as part of an exploit. If
there are binary components, Base64 encode them and include them here. If
there is text console output, such as from gdb and shells and the like, the
actual text is preferred to screenshots.
Very long code, output, or Base64 snippets should be wrapped in the hard-bracket expand meta-tags.
Finally, screenshots should be included inline with the <img
src="data:image/png;base64,iVBOR..."> pattern so copies of this disclosure
will always include your brilliant screenshots. Examples of these patterns
are below.
Here’s an evil PCAP (as seen in CVE-2023-0666):
[expand]
1MOyoQIABAAAAAAAAAAAAP//AAABAAAAW+1JZDkZDgA2AAAANgAAAHRGoNgQS3RGo
CvQ6AgARQAAKAABAABABvfBwKgA58CoANYKKyPjAAC1rAAAAABQAiAAKRoAAFvtSW
SkGg4ANgAAADYAAAB0RqAr0Oh0RqDYEEsIAEUAACgAAQAAQAb3wcCoANbAqADnI+M
KKwAAAAEAALWsUBIgACkJAABb7UlknBsOADYAAAA2AAAAdEag2BBLdEagK9DoCABF
AAAoAAEAAEAG98HAqADnwKgA1gorI+MAALWtAAAAAVAQIAApCgAAW+1JZI4cDgCuB
QAArgUAAHRGoNgQS3RGoCvQ6AgARQAFoAABAABABvJJwKgA58CoANYKKyPjAAC1rQ
AAAAJQGCAA7yIAAAAACJBSVFBTAgABAQAAAAAAAQkBEjRWeAIbeABSZWFkV3JpdJh
2VDIQ/ty6EjRWeN6tur5FZ4kKuqqqrRD+3LpyAEwAAQAAAAYAAABGaQABDgAAAAIA
AAARIjNEVWZ3iJmqu8zd7v8WFxgZICEiIyQBAgMEBQYHCAkQERITFBUWFxgZICEiI
yQDAAAARXhwAAEAAABBYTBBYTFBYTJBYTNBYTRBYTVBYTZBYTdBYThBYTlBYjBBYj
FBYjJBYjNBYjRBYjVBYjZBYjdBYjhBYjlBYzBBYzFBYzJBYzNBYzRBYzVBYzZBYzd
BYzhBYzlBZDBBZDFBZDJBZDNBZDRBZDVBZDZBZDdBZDhBZDlBZTBBZTFBZTJBZTNB
ZTRBZTVBZTZBZTdBZThBZTlBZjBBZjFBZjJBZjNBZjRBZjVBZjZBZjdBZjhBZjlBZ
zBBZzFBZzJBZzNBZzRBZzVBZzZBZzdBZzhBZzlBaAAEAABBaDJBaDNBaDRBaDVBaD
ZBaDdBaDhBaDlBaTBBaTFBaTJBaTNBaTRBaTVBaTZBaTdBaThBaTlBajBBajFBajJ
BajNBajRBajVBajZBajdBajhBajlBazBBazFBazJBazNBazRBazVBazZBazdBazhB
azlBbDBBbDFBbDJBbDNBbDRBbDVBbDZBbDdBbDhBbDlBbTBBbTFBbTJBbTNBbTRBb
TVBbTZBbTdBbThBbTlBbjBBbjFBbjJBbjNBbjRBbjVBbjZBbjdBbjhBbjlBbzBBbz
FBbzJBbzNBbzRBbzVBbzZBbzdBbzhBbzlBcDBBcDFBcDJBcDNBcDRBcDVBcDZBcDd
BcDhBcDlBcTBBcTFBcTJBcTNBcTRBcTVBcTZBcTdBcThBcTlBcjBBcjFBSEEhQUhB
ITRBcjVBcjZBcjdBcjhBcjlBczBBczFBczJBczNBczRBczVBczZBczdBczhBczlBd
DBBdDFBdDJBdDNBdDRBdDVBdDZBdDdBdDhBdDlBdTBBdTFBdTJBdTNBdTRBdTVBdT
ZBdTdBdThBdTlBdjBBdjFBdjJBdjNBdjRBdjVBdjZBdjdBdjhBdjlBdzBBdzFBdzJ
BdzNBdzRBdzVBdzZBdzdBdzhBdzlBeDBBeDFBeDJBeDNBeDRBeDVBeDZBeDdBeDhB
eDlBeTBBeTFBeTJBeTNBeTRBeTVBeTZBeTdBeThBeTlBejBBejFBejJBejNBejRBe
jVBejZBejdBejhBejlCYTBCYTFCYTJCYTNCYTRCYTVCYTZCYTdCYThCYTlCYjBCYj
FCYjJCYjNCYjRCYjVCYjZCYjdCYjhCYjlCYzBCYzFCYzJCYzNCYzRCYzVCYzZCYzd
CYzhCYzlCZDBCZDFCZDJCZDNCZDRCZDVCZDZCZDdCZDhCZDlCZTBCZTFCZTJCZTNC
ZTRCZTVCZTZCZTdCZThCZTlCZjBCZjFCZjJCZjNCZjRCZjVCZjZCZjdCZjhCZjlCZ
zBCZzFCZzJCZzNCZzRCZzVCZzZCZzdCZzhCZzlCaDBCaDFCaDJCaDNCaDRCaDVCaD
ZCaDdCaDhCaDlCaTBCQWEwQWExQWEyQWEzQWE0QWE1QWE2QWE3QWE4QWE5QWIwQWI
xQWIyQWIzQWI0QWI1QWI2QWI3QWI4QWI5QWMwQWMxQWMyQWMzQWM0QWM1QWM2QWM3
QWM4QWM5QWQwQWQxQWQyQWQzQWQ0QWQ1QWQ2QWQ3QWQ4QWQ5QWUwQWUxQWUyQWUzQ
WU0QWU1QWU2QWU3QWU4QWU5QWYwQWYxQWYyQWYzQWY0QWY1QWY2QWY3QWY4QWY5QW
cwQWcxQWcyQWczQWc0QWc1QWc2QWc3QWc4QWc5QWgwQWgxQWgyQWgzQWg0QWg1W+1
JZBUeDgA2AAAANgAAAHRGoCvQ6HRGoNgQSwgARQAAKAABAABABvfBwKgA1sCoAOcj
4worAAAAAgAAuyVQECAAI5EAAFvtSWQAHw4AUgMAAFIDAAB0RqDYEEt0RqAr0OgIA
EUAA0QAAQAAQAb0pcCoAOfAqADWCisj4wAAuyUAAAACUBggAG1hAABBaDZBaDdBaD
hBaDlBaTBBaTFBaTJBaTNBaTRBaTVBaTZBaTdBaThBaTlBajBBajFBajJBajNBajR
BajVBajZBajdBajhBajlBazBBazFBazJBazNBazRBazVBazZBazdBazhBazlBbDBB
bDFBbDJBbDNBbDRBbDVBbDZBbDdBbDhBbDlBbTBBbTFBbTJBbTNBbTRBbTVBbTZBb
TdBbThBbTlBbjBBbjFBbjJBbjNBbjRBbjVBbjZBbjdBbjhBbjlBbzBBbzFBbzJBbz
NBbzRBbzVBbzZBbzdBbzhBbzlBcDBBcDFBcDJBcDNBcDRBcDVBcDZBcDdBcDhBcDl
BcTBBcTFBcTJBcTNBcTRBcTVBcTZBcTdBcThBcTlBcjBBcjFBSEEhQUhBITRBcjVB
cjZBcjdBcjhBcjlBczBBczFBczJBczNBczRBczVBczZBczdBczhBczlBdDBBdDFBd
DJBdDNBdDRBdDVBdDZBdDdBdDhBdDlBdTBBdTFBdTJBdTNBdTRBdTVBdTZBdTdBdT
hBdTlBdjBBdjFBdjJBdjNBdjRBdjVBdjZBdjdBdjhBdjlBdzBBdzFBdzJBdzNBdzR
BdzVBdzZBdzdBdzhBdzlBeDBBeDFBeDJBeDNBeDRBeDVBeDZBeDdBeDhBeDlBeTBB
eTFBeTJBeTNBeTRBeTVBeTZBeTdBeThBeTlBejBBejFBejJBejNBejRBejVBejZBe
jdBejhBejlCYTBCYTFCYTJCYTNCYTRCYTVCYTZCYTdCYThCYTlCYjBCYjFCYjJCYj
NCYjRCYjVCYjZCYjdCYjhCYjlCYzBCYzFCYzJCYzNCYzRCYzVCYzZCYzdCYzhCYzl
CZDBCZDFCZDJCZDNCZDRCZDVCZDZCZDdCZDhCZDlCZTBCZTFCZTJCZTNCZTRCZTVC
ZTZCZTdCZThCZTlCZjBCZjFCZjJCZjNCZjRCZjVCZjZCZjdCZjhCZjlCZzBCZzFCZ
zJCZzNCZzRCZzVCZzZCZzdCZzhCZzlCaDBCaDFCaDJCaDNCaDRCaDVCaDZCaDdCaD
hCaDlCaTBCW+1JZHggDgA2AAAANgAAAHRGoCvQ6HRGoNgQSwgARQAAKAABAABABvf
BwKgA1sCoAOcj4worAAAAAgAAvkFQECAAIHUAAA==
[/expand]
Here’s a picture:
Attacker Value
Why should anyone care about this vuln? What can criminals and spies do with it? Why should I patch or work around it? Come up with one or two reasonable (or unreasonable, for silly vulns) attack scenarios.
Credit
Vulns should credit a person or team. Links to Mastodon or LinkedIn or personal blogs appreciated so if anyone wants to reach out directly, they can. Aliases are totally okay.
This issue is being disclosed through the AHA! CNA and is credited to $YOUR_NAME_HERE
Timeline
At minimum, timelines should capture which meeting this was presented at (and the date), when it was disclosed to the vendor, when the vendor acknowledged the issue, and when the issue was fixed. Feel free to hand-wave over the middle bits. Because our meetings are on the last Thursday of the month, there will almost always be a delay between demo time and disclosure time, since first disclosures on Fridays is a jerk move. This also gives the CVE coordinator time to validate the vuln after the meeting and write this disclosure. Also, be sure to include any links to patches in this timeline.
- YYYY-MM-DD (Thu): Initial findings presented at AHA! Meeting 0xffff
- YYYY-MM-DD (Day): PoC validated and this disclosure drafted.
- YYYY-MM-DD (Day): Disclosed to the vendor via email at [email protected].
- YYYY-MM-DD (Day): Vendor acknowledged the vulnerability.
- YYYY-MM-DD (Day): Vendor released fixed version X.Y.Z.
- YYYY-MM-DD (Day): Public disclosure of CVE-20XX-YYYY.
