Consider "risk accepted" as a VEX status
Opened this issue · 2 comments
From a CISA VEX WG mailing list thread proposing a new VEX status:
2.7.1.5 Risk Accepted (“risk_accepted”)
The [author] of the VEX statement or other relevant parties have ruled this [vul_id] as presenting an insignificant risk, and will not further investigate the [vul_id] to assess whether it is “not_affected” or “affected” and will not further update the [status] of this [vul_id].
We believe this is a common practice in the Industry, for [vul_id]s of very low actual risk. This scenario is not satisfied by [status] being set to “not_affected” or by “under_investigation” as there will be no further investigation to find whether or not the product affected by the [vul_id], and the Status will not progress to any other value from this state (no further investigation will be performed).
These elements may provide immediate capability to convey "risk accepted."
2.7.1.2.1 Action statement [action_statement]
For status “affected”, a VEX statement MUST include one [action_statement] that SHOULD
describe actions to remediate or mitigate [vul_id].
2.7.2 Status notes [status_notes]
[status_notes] MAY convey information about how [status] was determined and MAY reference
other VEX information.
Part of the discussion separates status from response decision, i.e., status can be affected, under investigation, or unknown, independently of the decision to accept risk. Risk assessment/acceptance is usually specific to the VEX consumer.