From 31cf521209f042bbcda8afabe0076a522f274060 Mon Sep 17 00:00:00 2001 From: Tobie Langel Date: Wed, 9 Apr 2025 23:41:20 +0200 Subject: [PATCH] Make it optional to provide an estimation of the severity of a vulnerability Closes #17. Signed-off-by: Tobie Langel --- spec.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec.md b/spec.md index b599ed1..f52c0cb 100644 --- a/spec.md +++ b/spec.md @@ -110,7 +110,7 @@ In case of such a multi-party vulnerability handling, all parties SHOULD agree o The Organization MUST publish all resolved vulnerabilities. Each Organization MUST publish a list of all publicly known Vulnerabilities in their products. This publication SHOULD happen on a web page and SHOULD offer a machine-readable version. -The publication of the list of known Vulnerabilities takes a form of a list of their identification (one or multiple ones) and at least one link to a public resource describing this Vulnerability (at least the affected product and versions, affected configurations and a general description) and SHOULD include an estimation of severity of the Vulnerability. The Organization MAY include additional information. +The publication of the list of known Vulnerabilities takes a form of a list of their identification (one or multiple ones) and at least one link to a public resource describing this Vulnerability (at least the affected product and versions, affected configurations and a general description). It MAY include additional information such as the estimation of severity of the Vulnerability. The publication MUST include a Vulnerability identification from a public database. It MAY include additional identification numbers from public and private databases.