Art Manion
Art Manion
Not speaking for @tschmidtb51, I recommend the CSAF VEX profile for more granular status options (even if you do not use the upstream component aspect of VEX).
About the VAR/VDR, I recently updated my [VEX/VAR/VDR notes](https://github.com/zmanion/SBOM/blob/main/VEX_VDR.md), in doing so, I found these "requirements" for a VAR: > Per [ISO/IEC 29147], the elements of a VAR include an...
@rjb4standards: > It's important to distinguish a vulnerability "Security Advisory", which refers to a single vulnerability, i.e. CSAF profile 4, from a product VDR/VAR which serves as an attestation that...
This issue mentions or implicates the EU CRA, NIST, and OpenSSF. Who should or would develop a more formal VAR specification or requirements document? Since NIST defines VAR currently, I'd...
> But I do not believe a CSAF Security Artifact can list a product with no vulnerabilities, which is what a clean VDR provides: An attestation that a producer has...
I am also in favor, and biased. @eslerm, the embargo period is a policy choice of the operator and isn't enforced by the code, although it is hard coded to...
@eslerm: > Can an operator shorten the policy during a coordination? Yes, the embargo length is decided by the operator. A default can be set if desired. This happens to...
I vote in favor.
Adapted from a Slack thread: > Whenever the PUT `/cve/{id}/cna` endpoint is called, it will update the `dateUpdated` field, even if the submitted `cnaContainer` is the same as what's already...
Example: https://cveawg.mitre.org/api/cve/CVE-2025-9242 ```json { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2025-11-11T04:55:33.935049Z", # fixme, really really precise :) "id": "CVE-2025-9242", "options": [ { "Exploitation": "active" }, {...