Allow for "Dismissing Vulnerabilities" to be scoped to Maintainer and above
Problem to solve
Currently, when using our security tools, vulnerability findings are dismissible with users with Developer
role and above. However, in many cases organizations want to lock this down, only allowing Maintainers
to dismiss vulnerabilities.
Another option would be to allow you to only allow dismissing of vulnerabilities if they are part of a specific group, similar to how "approval rules" work currently. This would allow organizations to define a @security
group that are allowed to dismiss vulnerabilities.
One note, I do think there is still value in allowing developers to "Comment" on a vulnerability to centralize the discussion, but not giving the dismiss option.
Intended users
What does success look like, and how can we measure that?
Allowing the organization to better manage risk by protecting the dismissing of vulnerabilities.