Add risk score field to VEX specification

[fahedouch]

Problem

VEX lacks a standardized field for risk scores (e.g., OWASP Risk Rating, Custom Risk Score), despite the NTIA specification stating VEX can include "scores and risks."

Use Case

Our platform prioritizes vulnerabilities based on context-specific risk assessment. We need a standard way to transmit risk scores through VEX to security scanners.

Proposal

Add a risk_score field to enable platforms to communicate:

• Context-specific exploitability scores
• Standardized risk ratings (OWASP etc.)

This allows consistent risk communication between vulnerability management platforms and consumers.

[fahedouch]

I am actively working on a tool called vens that calculates risk scores for vulnerabilities. Currently, we only support CycloneDX VEX for exchanging vulnerability scores with vulnerability management platforms (e.g. Trivy, Dependency-Track, Grype...), and we want to expand the scope to include OpenVEX. Could you please take a look?

ping @puerco @cpanato