CVEium
Sign Up

Justification & Impact Statements

Provide justification, response, detail, impact, and action statements for vulnerability dispositions.

When setting a disposition, you can provide additional context that explains your decision. These statements are included in the VEX document and help downstream users understand your assessment.

Justification

Used primarily with Not Affected dispositions. Explains why the vulnerability does not impact your product.

Examples:

  • "The vulnerable function parseXML() is never called in our codebase"
  • "The affected module is only included as a development dependency and is not shipped in production builds"
  • "Our deployment configuration disables the affected feature"

Response

Used primarily with Affected dispositions. Describes your planned response to the vulnerability.

Examples:

  • "Will upgrade to patched version in the next release"
  • "Working with upstream maintainer on a fix"
  • "Applying compensating controls while awaiting patch"

Detail

Additional context for any disposition status. Provides supplementary information that does not fit in the justification or response fields.

Examples:

  • "Confirmed by manual code review on 2026-02-05"
  • "Vendor advisory states only versions prior to 3.2 are affected; we use 3.4"
  • "EPSS score is very low (0.01), reducing practical exploitation risk"

Impact statement

Describes the potential impact of the vulnerability on your product. This helps downstream users assess their own risk.

Examples:

  • "If exploited, an attacker could gain read access to local configuration files"
  • "No user data exposure possible; the affected component handles non-sensitive metadata only"
  • "Potential denial of service under high-load conditions"

Action statement

Describes specific steps taken or planned for remediation. Particularly important for Affected and Fixed dispositions.

Examples:

  • "Upgraded log4j from 2.14.1 to 2.17.1 in this release"
  • "Applied vendor patch KB-2024-001 to the deployment"
  • "Remediation scheduled for version 3.2.0, expected 2026-03-15"

How these fields appear in VEX documents

All statement fields you provide are included in the generated VEX document under the corresponding vulnerability entry. The exact structure depends on the VEX format:

  • CycloneDX VEX: Statements are included in the analysis section of each vulnerability
  • OpenVEX: Statements map to the justification and impact_statement fields
  • CSAF: Statements appear in the threats and remediations sections

Providing thorough statements strengthens your disclosure and demonstrates due diligence to auditors and regulators.