There are fundamental data and knowledge that shouldn't be missed when representing vulnerability;
- The name of the vulnerability
- Generic knowledge defining the vulnerability category (vulnerability definition) in detail
- The severity of the vulnerability
- The asset that has the vulnerability
- Specific details of the vulnerability that shows the way to exploit or retest (though much of the time especially developers use this piece to write black lists, unfortunate)
- Helpful mitigation techniques
- Current status of the vulnerability. Is it open or closed or in a status of recheck?
These are the defaults. There are more in NormShield;
- A risk score using severity of the vulnerability and the priority of the related asset. The sole severity of a vulnerability doesn't show its risk.
- Who is responsible to fix the vulnerability? This is really helpful if you don't have the expertise to multiplex a security bug to the right authority.
- The SLA mitigation period of the vulnerability compared to other vulnerabilities with the same severity.
- The extra information that comes with the vulnerability, such as CVSS information, exploitability etc.
- The assets that have the same vulnerability category.
- The history of the actions applied to this vulnerability from the very beginning.
With the data comes the knowledge and it's important to show it eminently. All these details, as shown in Figure 1, and more can be seen clicking vulnerability Details icons listed next to every listed vulnerability.
Figure 1 - Details in vulnerability panorama