osv-schema
osv-schema copied to clipboard
ossf
What kind of credit in credits field?
credits fields { "credits": [ { "name": string, "contact": [ string ], } ] } The credits field is a JSON array providing a way to give credit for the discovery, confirmation, patch, or other events in the life cycle of a vulnerability.
is there some reason we don't have an optional text description or ENUM for what kind of credit(s)?
Chiming in here from the GitHub side, we'd like to update our own credits model to have types of credits in alignment with the MITRE spec.
Would be great if we could consider a "type" field in credits similar to the OSV references field.
Thanks for chiming in! Given the additional interest, let's resurrect this thread.
A "type" enum field that allows an easy 1:1 mapping to the MITRE spec could certainly work here.
@captn3m0 here's how the meanings are described as per MITRE:
finder: identifies the vulnerability reporter: notifies the vendor of the vulnerability to a CNA. analyst: validates the vulnerability to ensure accuracy or severity. coordinator: facilitates the coordinated response process. remediation developer: prepares a code change or other remediation plans. remediation reviewer: reviews vulnerability remediation plans or code changes for effectiveness and completeness. remediation verifier: tests and verifies the vulnerability or its remediation. tool: names of tools used in vulnerability discovery or identification. sponsor: supports the vulnerability identification or remediation activities.
So I guess it would depend on the maintainer's role in the solution... Could be analyst, coordinator, remediation developer, or really any.
Would someone like to suggest a PR to add this? It seems like the type should enable an easy 1:1 mapping to MITRE for interoperability.
@oliverchang created a PR here: https://github.com/ossf/osv-schema/pull/110
/cc @KateCatlin @katblag
@oliverchang Looks like this has been merged/deployed. Time to close the issue? :tada:
