VXDFValidated Exploitable Data Flow
A standardized JSON format for documenting confirmed security vulnerabilities with the evidence needed to prove they're real and actionable.Every VXDF report includes structured evidence.
Key Features
Evidence Required
Structured proof of exploitability with 33 evidence types
Actionable Reports
Clear remediation guidance with technical details
Standardized Format
JSON Schema compliant with machine-readable structure
Designed for interoperability with
What is VXDF?
VXDF (Validated Exploitable Data Flow) is a standardized JSON format for documenting confirmed security vulnerabilities with the evidence needed to prove they're real and fix them fast.
The Problem
The Solution
How VXDF Works
Detect & Validate
Security tools find potential vulnerabilities and validate them with actual exploits
Generate VXDF
Tools output findings in VXDF format with evidence, code locations, and remediation guidance
Fix with Confidence
Developers receive actionable reports they can trust, with everything needed to fix issues fast
Core Concepts
Understanding the building blocks of VXDF to create and consume vulnerability reports effectively
An ExploitFlow represents a single validated vulnerability instance. It traces the path of untrusted data from its entry point (source) to where it causes harm (sink), including all intermediate steps.
Example
{
"source": "HTTP request parameter \"username\"",
"sink": "SQL query execution",
"steps": [
"Input validation bypass",
"String concatenation",
"Database query"
]
}VXDF uses a strict JSON Schema (v2020-12) to ensure consistency and enable validation across all implementations.
Custom properties and x-prefixed fields allow organizations to add domain-specific data without breaking compatibility.
Designed to work with SARIF, SPDX, CWE, and CVSS standards, enabling seamless integration with existing tools.
Schema & Examples
Explore the VXDF JSON schema structure and see real-world examples
{
"vxdfVersion": "0.0.1",
"id": "a1b2c3d4-e5f6-7890-1234-567890abcdef",
"generatedAt": "2025-01-15T14:30:00Z",
"generatorTool": {
"name": "OWASP VXDF Validator",
"version": "3.5.1"
},
"exploitFlows": [
{
"id": "flow-123e4567-e89b-12d3-a456-426614174000",
"title": "SQL Injection in User Authentication",
"description": "User-supplied username parameter is directly concatenated into SQL query without sanitization",
"validatedAt": "2025-01-15T13:45:00Z",
"severity": {
"level": "CRITICAL",
"cvssV3_1": {
"baseScore": 9.8,
"vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
},
"category": "INJECTION",
"cwe": [
"CWE-89"
],
"source": {
"locationType": "WEB_ENDPOINT_PARAMETER",
"uri": "/api/v1/auth/login",
"parameterName": "username",
"description": "Username parameter in login endpoint accepts unsanitized input"
},
"sink": {
"locationType": "SOURCE_CODE_UNIT",
"filePath": "src/auth/LoginController.java",
"startLine": 42,
"endLine": 44,
"functionName": "authenticateUser",
"description": "SQL query construction using string concatenation"
},
"evidence": [
{
"evidenceType": "HTTP_REQUEST_LOG",
"description": "Actual HTTP request that exploited the SQL injection",
"data": {
"method": "POST",
"url": "https://api.example.com/api/v1/auth/login",
"requestBody": {
"username": "admin' OR '1'='1",
"password": "anything"
},
"responseStatusCode": 200,
"responseBody": {
"authenticated": true,
"role": "admin"
}
}
}
]
}
]
}Get Involved
Join the open source community building standardized vulnerability reporting
Resources & Tools
- VXDF Validator →
- Python SDK (Coming Soon)
- JavaScript SDK (Coming Soon)
Have questions or want to contribute?
Contact the VXDF Team