Motivation
RDX attack feasibility (AFR) and TAF assessments are primarily analyst-driven and lack a standardized, machine-consumable way to incorporate published vulnerability intelligence (CVE id, CVSS vectors) and predictive exploitability (EPSS) into feasibility and risk calculations. Integrating CVSS v4.0 vectors and EPSS probabilities as an explicit "vulnerabilityContext" allows RDX consumers to automate risk prioritization, reconcile SBOM/HBOM findings with attack path reachability, and reproduce AFR adjustments using auditable inputs.
Proposed change
- Schema additions
- Method mapping
- Define a small reusable method
methodId example rdx-vuln-adjust-v1 in methods explaining how EV/EPSS map to AFR bands (deterministic formula or lookup table). For example: "adjustedAFR = clamp( baseAFR + f(epssScore, exploitEvidence, reachability) )" with explicit parameter definitions.
- Tooling & examples
- Add
examples/rdx-vulnerability-context-example.json showing:
- an SBOM/HBOM component (cyclonedx linkage) with a
vulnerabilityContext referencing a CVE and relatedAttackPathIds.
- an
attackFeasibilityRating whose inputFactors reference the vulnerabilityContext.id and demonstrate the score adjustment.
- Validation
- JSON Schema should validate structure; validators SHOULD not attempt network lookups (CVE/EPSS) during CI. Example test vectors should include deterministic EPS S values for reproducibility in CI.
- Backwards compatibility
-
All fields OPTIONAL. Existing documents without vulnerabilityContexts remain valid.
-
New requirement ID: RDX-115 (new requirement): "Support optional vulnerabilityContext objects linking CVE/CVSS/EPSS and exploit evidence to attack feasibility and risk calculations."
References
Acceptance criteria
- Schema change: spec/json/rdx.schema.json and spec/xml/rdx.xsd include
vulnerabilityContexts[] and validate the example document.
- Example:
examples/rdx-vulnerability-context-example.json demonstrates a CVE -> vulnerabilityContext -> attackPath -> attackFeasibilityRating flow with a deterministic adjustmentMethodRef and shows how AFR is adjusted.
- Documentation: Update methodology/Methodology.md and methodology/CAL-TAF-Integration.md with recommended mapping strategies (sample formula and lookup tables) and guidance on trusted EPSS sources.
- CI: validation script accepts new examples; at least one unit test re-computes the adjusted AFR from provided inputs and asserts the documented adjusted value (deterministic test vector).
Generated by tools/ai_idea_scout.py via the AI Idea Scout workflow.
Review the proposal, refine the title/body/labels, and close if not desired.
Motivation
RDX attack feasibility (AFR) and TAF assessments are primarily analyst-driven and lack a standardized, machine-consumable way to incorporate published vulnerability intelligence (CVE id, CVSS vectors) and predictive exploitability (EPSS) into feasibility and risk calculations. Integrating CVSS v4.0 vectors and EPSS probabilities as an explicit "vulnerabilityContext" allows RDX consumers to automate risk prioritization, reconcile SBOM/HBOM findings with attack path reachability, and reproduce AFR adjustments using auditable inputs.
Proposed change
Add optional array
vulnerabilityContexts[]atriskSetlevel.Each
vulnerabilityContextobject SHOULD include these fields:id(string, required)cveId(string, optional) — e.g., "CVE-2026-12345"references[](array of strings/URLs) — NVD / vendor advisorycpeMatches[](array of CPE strings) — affected CPEscvss(object) with fields:version(string e.g., "4.0"),vector(string CVSS v4.0 vector),baseScore(number)epssScore(number; 0..1) — EPSS probability for exploitation (may be omitted if unavailable)exploitEvidence(object):{ "poC": boolean, "exploitPublished": boolean, "kev": boolean }— presence of PoC/weaponization/CISA KEV membershipreachability(enum) — one of ["internet-exposed","adjacent-network","requires-physical","insider-only","unknown"]relatedAttackPathIds[](array of attackPathidvalues)adjustmentMethodRef(string, methodId) — optional reference to amethodsentry describing how to map CVSS/EPSS to AFR/TAF adjustmentsnote(string) rationalemethodIdexamplerdx-vuln-adjust-v1inmethodsexplaining how EV/EPSS map to AFR bands (deterministic formula or lookup table). For example: "adjustedAFR = clamp( baseAFR + f(epssScore, exploitEvidence, reachability) )" with explicit parameter definitions.examples/rdx-vulnerability-context-example.jsonshowing:vulnerabilityContextreferencing a CVE andrelatedAttackPathIds.attackFeasibilityRatingwhoseinputFactorsreference thevulnerabilityContext.idand demonstrate thescoreadjustment.All fields OPTIONAL. Existing documents without
vulnerabilityContextsremain valid.New requirement ID: RDX-115 (new requirement): "Support optional vulnerabilityContext objects linking CVE/CVSS/EPSS and exploit evidence to attack feasibility and risk calculations."
References
Acceptance criteria
vulnerabilityContexts[]and validate the example document.examples/rdx-vulnerability-context-example.jsondemonstrates a CVE -> vulnerabilityContext -> attackPath -> attackFeasibilityRating flow with a deterministicadjustmentMethodRefand shows how AFR is adjusted.Generated by
tools/ai_idea_scout.pyvia the AI Idea Scout workflow.Review the proposal, refine the title/body/labels, and close if not desired.