I would check in the references section of the report or the CVE listing or database associated with it. CVE listings provide definitions for publicly disclosed cybersecurity exposures and vulnerabilities. Its goal is easier to share data across separate capabilities with these definitions. CVE entries include identification number, a description, and at least a public reference.
