The Create Vulnerability form in RexCommand allows you to log and manage vulnerabilities associated with your AI systems. This ensures that security and governance issues are captured, prioritized, and resolved in alignment with internal risk protocols and frameworks such as NIST AI RMF or the EU AI Act.
Accurate reporting contributes to audit readiness, compliance oversight, and informed risk decisions.
Below is a field-by-field guide to completing the form.
Basic Information
Vulnerability Title
Provide a short, clear title describing the vulnerability. This should be easily recognizable and descriptive (e.g., “Prompt Injection via System Message”).
Description
Enter a technical summary of the issue, including how the vulnerability manifests, where it was found, and any relevant context for understanding the weakness.
Classification Details
Category
Select the most appropriate classification (e.g., Prompt Injection, Model Misuse, Data Leakage). If none apply, choose Other.
Risk Rating
Assign a risk level (e.g., Low, Medium, High, Critical) based on your organization’s criteria or external standards.
Environment
Specify where the issue occurs (e.g., Production, Staging, Development).
Lifecycle Stage Impacted
Choose the phase of the AI lifecycle affected (e.g., Training, Evaluation, Deployment, Monitoring). This helps contextualize the issue.
Status
Track the current state of the vulnerability (e.g., Detected, Under Investigation, Resolved).
Confidentiality Classification
Apply the appropriate label (e.g., Internal Only, Confidential, Restricted) according to your organization’s data handling policies.
Details & Assignment
Reporter / Source
Indicate who or what identified the issue (e.g., internal QA, bug bounty, external researcher, incident RCA).
Owner / Assignee
Assign a team or individual responsible for investigating and resolving the vulnerability.
Severity Score
Include a numerical severity score if applicable (e.g., CVSS v3.1) or an internal AI-specific scoring method.
Target Remediation Date
Set a deadline for when the issue should be resolved. This supports prioritization and accountability.
Exploitability Details
Describe how the vulnerability could be exploited. Include attack vectors, prerequisites, and any proof-of-concept evidence.
Business / Regulatory Impact
Outline potential consequences of the vulnerability being exploited, including:
Regulatory exposure (e.g., GDPR, CCPA)
Safety or fairness risks
Intellectual property loss
Reputational damage
Remediation Information
Verification / Retest Evidence
Once remediation is complete, provide testing results, logs, or other evidence confirming the vulnerability has been addressed.
Residual Risk
If some risk remains, describe the residual impact and any mitigation controls in place.
Compliance Notes
Document any regulatory or internal compliance actions taken—such as DPO notifications or required filings.
Additional Notes
Vulnerabilities can be associated with specific AI systems or datasets within the platform.
Issues logged here may originate from assessments, audits, or manual discovery.
Resolved vulnerabilities should still be documented fully to ensure traceability.
Use commenting features within the platform to collaborate on resolution efforts.
You may also bulk import vulnerabilities using the vulnerability import template if needed.