From: Schlegelmilch, Nils via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Date: Monday, 13 July 2026 at 09:19
To: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>
Subject: [mbed-tls] Publish Mbed TLS security advisories in machine-readable format for SBOM scanners
Hi Mbed TLS team,
I would like to ask whether Mbed TLS could publish security advisories in a machine-readable format, for example GitHub Security Advisories or OSV.
Security fixes are currently visible in release notes and documentation before they appear in NVD/GHSA/OSV. This creates a detection gap for automated vulnerability scanners such as Dependency-Track, because they rely on structured advisory data with affected
versions, fixed versions, and identifiers such as CPE, PURL, or Git ranges.
For example, when a security release is available, Dependency-Track may not alert until the corresponding CVE or advisory appears in one of its vulnerability data sources. This can delay automated remediation even though a patched Mbed TLS version is already
released.
Would the project consider publishing machine-readable advisories at release time, or is there already a preferred process for this?
Thanks!
Nils Schlegelmilch
Development
Phone +49 7836 50-9883
E-Mail
n.schlegelmilch@vega.com

VEGA Grieshaber KG | Am Hohenstein 113 | 77761 Schiltach | Germany



|
Unsere Datenschutzhinweise und somit auch die Informationen gem. Art. 13 DSGVO finden Sie im Internet unter
www.vega.com/datenschutz
VEGA Grieshaber KG
Kommanditgesellschaft mit Sitz in Wolfach
Registergericht: Freiburg HRA 680 687
Persönlich haftende Gesellschafter:
Isabel Grieshaber
Grieshaber Holding GmbH
Sitz: Wolfach
Registergericht: Freiburg HRB 680 271
Geschäftsführer:
Isabel Grieshaber, Markus Kniesel
USt.-Id.-Nr.: DE143030199
|
|