The Linux Foundation Projects
Skip to main content

Definition

The security profile captures security-related information in a SPDX Security Document. Specifically, the properties and relationships specified in the security profile are in support of exchanging information about system vulnerabilities that may exist, the severity of those vulnerabilities, and a mechanism to express how a vulnerability may affect a specific element including if a fix is available.

Personas

This profile may be produced or consumed by a variety of personas, including:

  • Open source project contributors and maintainers
  • Vulnerability management reporters, publishers, and coordinators
  • Software producers who want to receive vulnerability information from open source projects in a machine-readable, standardized format
  • Individuals or organizations that execute security scanning for systems and want to communicate results
  • Individuals or organizations that receive a security scan and want to communicate impact of that scan using VEX

The security information can be consumed by engineering, security, safety, compliance, quality assurance managers, system operators, auditors, and executives.

Use Cases

Discovery & Disclosure

Communicate the vulnerabilities found by person (auditor/researcher), tool, or organization in a specific part of a system

Severity

Consumers may use the security profile to learn about the threat posed by a vulnerability in a specific part of a system

Risk

Consumers may use the security profile to assess impact & exploitability risk introduced by a vulnerability in a specific piece of software

Remediation

Communicate how a vulnerability may be addressed or has already been addressed for a specific part of a system

Benefits

Using the security profile clearly communicates vulnerability information and impact to software and/or hardware producers, consumers, intermediaries or end users. It can be used to help assess the security risk of using a specific part of a system.

Demo

The security profile provides syntax around how to use the classes and relationships in the model files on GitHub. For example: