Dear TC members, I'd like to discuss about adding a new value for "category" in "remediation". Problem: The third party CVEs will be announced in advisories. Some of them are re-scored with CVSSv3.1 = 0.0. "known_not_affected" is used in "product_status". In "remediation", "category" doesn't have a matching value for "known_not_affected" (the question on why to announce them with CVSSv3.1=0.0 is to provide the info to the customers, as their scanners might catch the third party components, and then they will ask the support). Solution: Add a new value, such as "patch_for_not_affected". Thanks, Feng Cao, PHD, CISSP, PMP Oracle Security Alerts