Add Vulnerability-Level Numeric Scoring and Metadata Fields
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to Solve
Current GitLab vulnerability management relies solely on severity categories (Critical, High, Medium, Low, Info) for triaging security findings. This creates overly broad groupings that don't provide sufficient granularity for effective vulnerability prioritization and remediation workflows.
If two vulnerabilities are both High severity, but one is an 8.9/10 and the other a 7.5/10, organizations would typically want to triage the former first. Organizations need somewhere to store numeric scores in GitLab to support remediation strategies that prioritize vulnerabilities in descending score order.
Proposal
Add support for vulnerability-level numeric scoring and/or tagging functionality that allows organizations to store custom scoring data for each vulnerability.
Use Case
Organizations often implement custom vulnerability scoring methodologies that consider factors beyond base severity, such as:
- Asset criticality
- Environmental context
- Business impact
- Exploitability in their specific environment
These methodologies produce numeric scores (like 8.9/10 vs 7.5/10) that enable more precise prioritization within the same GitLab severity category. Organizations need fields to store these scores in GitLab to support their triage workflows.