Skip to content

Add Short-Form Report Guidance to framework documentation #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jasperkeysight wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add Short-Form Report Guidance to framework documentation #63

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bbfdf60
Add Short-Form Report Guidance to framework documentation
jasperkeysight Dec 4, 2025
c7ac42c
Update Documentation/framework.md
jasperkeysight Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions Documentation/framework.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -326,6 +326,17 @@ use the findings in the report to improve design, engineering, build, and test p

Several SRP sample reports can be found in [Appendix A](#appendix-a-example-reports).



## Short-Form Report Guidance
Copy link
Contributor

@rob-tetrel rob-tetrel Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## Short-Form Report Guidance
### Short-Form Report Guidance


* **Issue detail level:** The SFR should describe risks for product consumers and encourage vendors to improve security. Include enough detail to explain impact, but avoid exploit-enabling specifics. Protect IP by omitting code identifiers (variable, module, or function names).
Copy link
Contributor

@rob-tetrel rob-tetrel Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Issue detail level:** The SFR should describe risks for product consumers and encourage vendors to improve security. Include enough detail to explain impact, but avoid exploit-enabling specifics. Protect IP by omitting code identifiers (variable, module, or function names).
* **Issue detail level:** The SFR should describe risks for CSPs and encourage the DV to improve security. Include enough detail to explain impact, but avoid exploit-enabling specifics. Protect IP by omitting code identifiers (variable, module, or function names).

* Example phrasing: “Integer overflow in secure boot could lead to arbitrary code execution in ROM”; “Insecure protection configuration allows loading unsigned code.”
* Avoid: “external_parser.c:195 parse_xml(xml_string) has a stack overflow when xml_string exceeds 1024 bytes, leading to arbitrary code execution.”
* **Qualitative Risk Ratings:** Any qualitative risk rating used by the SRP when reporting findings is not relevant for the purposes of the SFR. For the avoidance of doubt, the CVSS score is the **only** factor determining whether a finding should be included in the SFR. As such, any finding with a non-zero CVSS score **must** be included in the SFR.
Copy link
Contributor

@rob-tetrel rob-tetrel Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Qualitative Risk Ratings:** Any qualitative risk rating used by the SRP when reporting findings is not relevant for the purposes of the SFR. For the avoidance of doubt, the CVSS score is the **only** factor determining whether a finding should be included in the SFR. As such, any finding with a non-zero CVSS score **must** be included in the SFR.
* **Quantitative Risk Ratings:** The SFR uses CVSS for quantitative risk ratings. The CVSS score is the primary factor determining whether a finding should be included in the SFR. As such, any finding with a non-zero CVSS score **must** be included in the SFR if it is within the defined security review scope. Findings with a CVSS score of zero, by definition pose no risk to the CSP and must be excluded.

* **Configuration-dependent findings:** If a finding hinges on deployment configuration and the secure configuration plus associated risks are clearly documented in integration guidelines, it should be excluded from the SFR. If integration guidelines are missing and insecure configurations are plausible, include the finding in the SFR.
Copy link
Contributor

@rob-tetrel rob-tetrel Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* **Configuration-dependent findings:** If a finding hinges on deployment configuration and the secure configuration plus associated risks are clearly documented in integration guidelines, it should be excluded from the SFR. If integration guidelines are missing and insecure configurations are plausible, include the finding in the SFR.
* **Configuration-dependent findings:** Findings may exist that depend on configuration.
* If a finding depends on the CSPs deployment configuration and the secure configuration plus associated risks are clearly documented in DV-providedd integration guidelines, it should be excluded from the SFR. If integration guidelines are missing and insecure configurations are plausible, include the finding in the SFR.
* If a finding depends on DV-provided configuration (such as factory fuse configuration) in a way that allows a configuration change to undermine the security of the target without altering the firmware hash recorded in the SFR, then the finding should be included in the SFR.



# Appendix A: Example Reports

* Atredis Partners - [Sample Deliverables](https://www.atredis.com/sample-deliverables)
Expand Down