Add optional 'Action required' Yes/No field

[vnair0]

As per the new CNA rules https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf (effective August 8, 2024),
4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine learning) as the sole basis for determining assignment.

This means that there will be CVEs assigned to vulnerabilities in cloud and other new technologies in which there is no action expected by a vendor from the end user. To enable end users to differentiate between CSAF advisories containing CVE's in which an action is expected (like upgrading to the latest version manually) from the 'informational' CVE's in which there is no action expected, I propose the TC considers adding an optional field 'Action Required', which can take the value Yes/No.

[santosomar]

A good example: https://msrc.microsoft.com/blog/2024/06/toward-greater-transparency-unveiling-cloud-service-cves/

[tschmidtb51]

Maybe negating it would be better: no_action_required

[santosomar]

I agree with the no_action_required suggestion. This allows us to capture the majority of the cases of CSAF disclosures where action may be required by the consumer of the document/technology.