OWASP VXDF (Validated Exploitable Data Flow) Format
OWASP VXDF: The Standard for Verifiable Exploit Evidence
The Problem
Security teams are overwhelmed by vulnerability alerts from scanning tools (SAST, DAST, SCA). Most alerts are false positives or theoretical vulnerabilities with no practical exploit path, leading to:
- Alert Fatigue: Wasted time on non-critical issues
- Delayed Remediation: Real threats get lost in the noise
- Developer Frustration: Constant interruptions for non-exploitable issues
- Inconsistent Reporting: Incompatible formats across tools and researchers
The Solution: VXDF
OWASP VXDF (Validated Exploitable Data Flow) is a standardized, machine-readable JSON format for describing confirmed exploitable code vulnerabilities with mandatory validation evidence.
Key Features
- Evidence-Based: Focus on validated exploitable findings, not theoretical possibilities
- Standardized Format: Common language for describing vulnerability exploitation paths
- Machine-Readable: Enables automation in security tools and CI/CD pipelines
- Actionable Intelligence: Clear exploitation steps with concrete proof
What VXDF Contains
- Vulnerability Identification: CWE mapping and weakness details
- Affected Component: Precise software/library/code segment information
- Exploitation Path: Step-by-step attack flow from source to sink
- Validation Evidence: Working PoC scripts, HTTP requests/responses, or other verifiable proof
- Impact Assessment: Contextualized severity and business impact
Who Benefits
- Security Teams: Prioritize real threats, reduce noise
- Developers: Get actionable reports with clear evidence
- Tool Vendors: Provide high-fidelity results
- Researchers: Submit findings with verifiable proof
- Organizations: Improve security posture efficiently
Project Resources
Official Links
- Project Website: vxdf.org
- GitHub Repository: github.com/mihir-shah99/vxdf
Documentation & Tools
- Schema Specification: https://vxdf.org/schema-explorer
- API Documentation: Normative Schema
- Example Files: github.com/mihir-shah99/vxdf/blob/main/example1_flow_based.vxdf
Community & Support
- Discussions: GitHub Discussions
- Issue Tracker: GitHub Issues
Integration & Implementation
- Tool Integration Guide: vxdf.org/integration
- Developer SDKs: Work In Progress for Python, JavaScript, Go
- CI/CD Plugins: Work In Progress for Jenkins, GitHub Actions, GitLab CI
Get Involved
For Contributors:
- Review the Contributing Guide
- Check Good First Issues
- Join our Slack channel
For Tool Vendors:
- Implement VXDF in your security products
- Contact us for integration support
- Access our Vendor Partnership Program
For Organizations:
- Pilot VXDF in your security workflow
- Share feedback and use cases
- Join our Advisory Board
VXDF Project Roadmap
Current Status (Q2 2025)
✅ Completed (2024-Q1 2025)
- Foundational Schema Definition - Base VXDF JSON schema with validation rules
- Normative Schema Documentation - Complete schema specification v0.1-v0.2
- GitHub Repository & Community - Project infrastructure and OWASP integration
- Schema Validation Tools - Production-ready validation tools and CLI
- Documentation Website - Comprehensive project documentation at vxdf.org
🔄 In Progress (Q2 2025)
- OWASP Top 10 2024 Mapping - Mapping VXDF to OWASP Top 10 2024
- Enhancing Correlation Engine - Enhancing the correlation engine to support more complex and nuanced correlations.
- Enhanced SDK Development - JavaScript and Go library implementations
- Adding more parser support - Adding more parser support for more tools - Snyk, Semgrep, OWASP ZAP etc.
Q3 2025 Milestones
Core Platform Enhancement
- Multi-Language SDK Suite - Complete JavaScript, Go, and .NET SDKs
- Intelligence Engine v1.0 - Mature validation and scoring engine.
- Advanced Analytics Dashboard - Real-time vulnerability management metrics
- API Gateway - Centralized VXDF processing and validation service
Contribution Opportunities
For Developers
- SDK Development - Contributing to multi-language library implementations
- Intelligence Engine - Mature coreelation and validation improvements
- Tool Integrations - Building connectors for security tools and platforms
- Open Source Tools - Community-driven utilities and extensions
For Organizations
- Enterprise Pilots - Production deployment and feedback programs
- Industry Standards Work - Contributing to standardization efforts
- Academic Research - University collaboration and research projects
- Conference Speaking - Sharing implementation experiences and use cases
For Vendors
- Certified Integrations - Building official VXDF support into security tools
- Partnership Program - Commercial collaboration and co-marketing opportunities
- Technical Advisory - Contributing to technical direction and standards
- Marketplace Presence - Featuring integrations in VXDF ecosystem
Get Involved
Current Priorities:
- Join our roadmap discussions
- Participate in weekly Tuesday meetings
- Contribute to GitHub Issues and development
Partnership Inquiries:
- Enterprise Pilots: Contact [email protected]
- Vendor Integrations: Join #project-vxdf
- Academic Research: Submit proposals via GitHub Discussions
Roadmap Updated: June 2025 | Next Review: September 2025
VXDF Project Meetings
Weekly Project Call
Every Tuesday, 8:00 AM - 9:00 AM Pacific Time
- Next Meeting: June 10, 2025 at 8:00 AM PT
- Join: Google Meet
- Add to Calendar: Google Calendar Event
- Agenda: Google Docs
Time Zone Conversions
- UTC: 4:00 PM (Winter) / 3:00 PM (Summer)
- Eastern: 11:00 AM EST / 12:00 PM EDT
- Central European: 5:00 PM CET / 4:00 PM CEST
- India: 9:30 PM IST
- Australia: 3:00 AM AEDT / 2:00 AM AEST
Working Groups
Schema & Standards Working Group
- Focus: Schema evolution, validation rules, standards alignment
Tool Integration Working Group
- Focus: SDK development, Maturing Intelligence engine, and other tooling
How to Participate
- Join Slack: #project-vxdf for announcements
- Add Meeting: Use the calendar link above
- Review Agenda: Check the Google Doc before meetings
Meeting Resources
- Meeting Recordings: GitHub Repository
- Action Items: GitHub Projects
- Technical Support: GitHub Issues
- General Questions: GitHub Discussions
Weekly meetings every Tuesday 8:00 AM Pacific Time