From e0060ea4ed03a7c81fe26646cbda11fbbdbeda1b Mon Sep 17 00:00:00 2001 From: skywalke34 Date: Thu, 13 Nov 2025 13:59:39 -0700 Subject: [PATCH 1/3] docs: Add Pro vs OSS comparison for cross-product risk acceptances --- .../findings_workflows/risk_acceptances.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md index 9746e864a81..b63365b475a 100644 --- a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md +++ b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md @@ -25,6 +25,20 @@ Any Findings associated with a Full Risk Acceptance will be set to **Inactive**, Generally, any Risk Acceptances should follow your internal security policy and be re\-examined at an appropriate time. As a result, Risk Acceptances also have expiration dates. Once a Risk Acceptance expires, any Findings will be set to Active again. +### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances + +**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that allow you to manage risk decisions at scale: + +* **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio. +* **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to. + +**DefectDojo Open Source** implements Risk Acceptances at the Product level: + +* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Product. +* **Asset-Level Control**: This approach provides granular control and ensures that risk decisions are made in the context of each specific asset or application. + +Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition. + ### Add a new Full Risk Acceptance Risk Acceptances can be added to a Finding in two ways: From 8faceeeaf5667b6d644a3760183c290c4d8fc030 Mon Sep 17 00:00:00 2001 From: Tracy Walker Date: Wed, 3 Dec 2025 09:40:42 -0700 Subject: [PATCH 2/3] Update risk_acceptances.md - correct scope b/w Pro and OSS Corrected risk acceptance scope at engagement level for OSS. --- .../findings_workflows/risk_acceptances.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md index b63365b475a..9a9f9ac8a43 100644 --- a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md +++ b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md @@ -27,15 +27,14 @@ Generally, any Risk Acceptances should follow your internal security policy and ### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances -**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that allow you to manage risk decisions at scale: +**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that managing risk decisions at scale: * **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio. * **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to. -**DefectDojo Open Source** implements Risk Acceptances at the Product level: +**DefectDojo Open Source** implements Risk Acceptances at the Engagement level: -* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Product. -* **Asset-Level Control**: This approach provides granular control and ensures that risk decisions are made in the context of each specific asset or application. +* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Engagement. Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition. From 368f2ff76f61ebd723ba2c92723987f1d1fd7812 Mon Sep 17 00:00:00 2001 From: Cody Maffucci <46459665+Maffooch@users.noreply.github.com> Date: Fri, 5 Dec 2025 14:32:19 -0700 Subject: [PATCH 3/3] Update docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md --- .../findings_workflows/risk_acceptances.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md index 9a9f9ac8a43..db37e0e450d 100644 --- a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md +++ b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md @@ -27,7 +27,7 @@ Generally, any Risk Acceptances should follow your internal security policy and ### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances -**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that managing risk decisions at scale: +**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that aid in managing risk decisions at scale: * **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio. * **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to.