Dear TC members,
During the CSAF TC meeting on 2024-11-27, there was a discussion about GitHub Issue https://github.com/oasis-tcs/csaf/issues/782 (to Differentiate Between disclosure_date and first_known_exploitation_date in CSAF Documents)
A few folks suggested not to include these fields. However, we ran out of time . For the purpose of documentation and awareness, I included the following information in the issue. The suggestion is not to include the first_known_exploitation_date as a mandatory field, but an OPTIONAL field.
It will be good to introduce a differentiation in the /vulnerabilities[] section of CSAF documents by defining two distinct fields: disclosure_date and first_known_exploitation_date. These fields will serve different purposes and follow the guidelines outlined below:
-
Disclosure Date (disclosure_date):
- Type: String of format
date-time.
- Definition: Holds the date and time the vulnerability was publicly disclosed.
-
Date of First Known Exploitation (first_known_exploitation_date):
- Type: String of format
date-time.
- Definition: Records the date and time the vulnerability was first observed to be exploited in the wild. This is good for representing CISA KEVs, etc.
- Exclusions: Does not include exploitation in lab or testing environments.
Rationale:
- An OPTIONAL field, that clarifies the distinction between when a vulnerability is disclosed and when it is observed to be actively exploited.
Call to Action and Further Discussion:
Let's start a discussion here on in the GitHub issue.
Thank you!
------------------------------
Best regards,
Omar Santos
------------------------------