Thanks a lot for taking the time to read the BCP and provide feedback.
-
Yes, the summary is correct. KEV is a standalone record type.
-
Yes, and additionally, there are cases where an identifier has already been assigned but is not yet publicly disclosed (e.g., embargoed vulnerabilities).
-
vulnerability.vulnIdrepresents the primary identifier, whilevulnerability.altIdcontains synonymous identifiers referring to the same vulnerability. If exploitation activity relates to a different vulnerability, it should be expressed in a separate KEV record. -
Correct. The
evidence.detailsfield primarily acts as a container for source-specific or legacy KEV data, ensuring that original information can be preserved when ingesting or converting existing KEV formats.
Additional clarifications:
-
vulnIdandaltIdare strictly synonyms referring to the same vulnerability identity. A KEV record always applies to a single vulnerability. Any relationship modeling (e.g., dependency, causality, aggregation) is handled in the vulnerability record itself, as described in the BCP-05 relationships field. -
evidence.detailsis intentionally flexible and is used to carry original data or source-specific attributes that are not yet standardized. This follows a similar design pattern to themetafields in MISP. If common structures emerge over time, these may be formalized later as an annex or extension within BCP-07. -
The
severityfield reflects the severity inferred from the exploitation assertion itself, not an abstract or vendor-defined vulnerability score. For example, a honeypot observation resulting in full system compromise would justify a high severity value. This distinction may benefit from clearer wording in the BCP document.