Add an optional element in Profile 2: Security Incident Response indicating if own offerings and systems are affected

[sonnyvanlingen]

As can be read in 4.2 Profile 2: Security incident response:

This profile SHOULD be used to provide a response to a security breach or incident. This MAY also be used to convey information about an incident that is unrelated to the issuing party's own products or infrastructure.

For consumers of such CSAF documents, I would expect that this information about impact on issuers own products/services is useful to dictate how this CSAF document is displayed in CSAF viewers or prioritized in CSAF management systems.

Therefore I suggest to add an optional machine-readable value in Profile 2 entitled affects_issuing_party (or similar) with two valid values:

yes
no

[tschmidtb51]

Do you envision to use that option also in other profiles? How would I communicate that it is still unknown?

[sonnyvanlingen]

I think this adds the most value in Profile 2. For communicating the unknown status: I would be fine with introducing a value such as 'unknown' or 'under_investigation' too.