Hi Nils,
Thank you for the suggestion. At present our security information is published through our existing release process and CVE workflow, but we appreciate that this can leave a delay before automated scanners recognise new security releases.
We already have been discussing switching to GHSA for different reasons, but we hadn’t considered that the switch would cover this gap as well. We are going to take this into account when we decide.
Many thanks,
Janos
From: Schlegelmilch, Nils via mbed-tls mbed-tls@lists.trustedfirmware.org Date: Monday, 13 July 2026 at 09:19 To: mbed-tls@lists.trustedfirmware.org mbed-tls@lists.trustedfirmware.org Subject: [mbed-tls] Publish Mbed TLS security advisories in machine-readable format for SBOM scanners
Hi Mbed TLS team,
I would like to ask whether Mbed TLS could publish security advisories in a machine-readable format, for example GitHub Security Advisories or OSV.
Security fixes are currently visible in release notes and documentation before they appear in NVD/GHSA/OSV. This creates a detection gap for automated vulnerability scanners such as Dependency-Track, because they rely on structured advisory data with affected versions, fixed versions, and identifiers such as CPE, PURL, or Git ranges.
For example, when a security release is available, Dependency-Track may not alert until the corresponding CVE or advisory appears in one of its vulnerability data sources. This can delay automated remediation even though a patched Mbed TLS version is already released.
Would the project consider publishing machine-readable advisories at release time, or is there already a preferred process for this?
Thanks!
Nils Schlegelmilch Development
Phone +49 7836 50-9883 E-Mail n.schlegelmilch@vega.commailto:n.schlegelmilch@vega.com [cid:image001.png@01DD1042.23E9BE30] VEGA Grieshaber KG | Am Hohenstein 113 | 77761 Schiltach | Germany
[cid:image002.png@01DD1042.23E9BE30]https://de.linkedin.com/company/vega-grieshaber-kg[cid:image003.png@01DD1042.23E9BE30]https://www.vega.com/[cid:image004.png@01DD1042.23E9BE30]https://www.youtube.com/vegagrieshaberkg
Unsere Datenschutzhinweise und somit auch die Informationen gem. Art. 13 DSGVO finden Sie im Internet unter www.vega.com/datenschutzhttps://www.vega.com/datenschutz
VEGA Grieshaber KG
Kommanditgesellschaft mit Sitz in Wolfach Registergericht: Freiburg HRA 680 687
Persönlich haftende Gesellschafter: Isabel Grieshaber Grieshaber Holding GmbH Sitz: Wolfach Registergericht: Freiburg HRB 680 271
Geschäftsführer: Isabel Grieshaber, Markus Kniesel
USt.-Id.-Nr.: DE143030199