Hi Nils,

Thank you for the suggestion. At present our security information is published through our existing release process and CVE workflow, but we appreciate that this can leave a delay before automated scanners recognise new security releases.

We already have been discussing switching to GHSA for different reasons, but we hadnt considered that the switch would cover this gap as well. We are going to take this into account when we decide.

Many thanks,

Janos



From: Schlegelmilch, Nils via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Date: Monday, 13 July 2026 at 09:19
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Publish Mbed TLS security advisories in machine-readable format for SBOM scanners

Hi Mbed TLS team,

 

I would like to ask whether Mbed TLS could publish security advisories in a machine-readable format, for example GitHub Security Advisories or OSV.

 

Security fixes are currently visible in release notes and documentation before they appear in NVD/GHSA/OSV. This creates a detection gap for automated vulnerability scanners such as Dependency-Track, because they rely on structured advisory data with affected versions, fixed versions, and identifiers such as CPE, PURL, or Git ranges.

 

For example, when a security release is available, Dependency-Track may not alert until the corresponding CVE or advisory appears in one of its vulnerability data sources. This can delay automated remediation even though a patched Mbed TLS version is already released.

 

Would the project consider publishing machine-readable advisories at release time, or is there already a preferred process for this?

 

Thanks!

 

 

Nils Schlegelmilch

Development

 

Phone   +49 7836 50-9883

E-Mail     n.schlegelmilch@vega.com

VEGA Grieshaber KG | Am Hohenstein 113 | 77761 Schiltach | Germany

 

 

Unsere Datenschutzhinweise und somit auch die Informationen gem. Art. 13 DSGVO finden Sie im Internet unter www.vega.com/datenschutz

VEGA Grieshaber KG

Kommanditgesellschaft mit Sitz in Wolfach
Registergericht: Freiburg HRA 680 687

Persönlich haftende Gesellschafter:
Isabel Grieshaber
Grieshaber Holding GmbH
Sitz: Wolfach
Registergericht: Freiburg HRB 680 271

Geschäftsführer:
Isabel Grieshaber, Markus Kniesel

USt.-Id.-Nr.: DE143030199