Hi Mbed TLS team,
I would like to ask whether Mbed TLS could publish security advisories in a machine-readable format, for example GitHub Security Advisories or OSV.
Security fixes are currently visible in release notes and documentation before they appear in NVD/GHSA/OSV. This creates a detection gap for automated vulnerability scanners such as Dependency-Track, because they rely on structured advisory data with affected versions, fixed versions, and identifiers such as CPE, PURL, or Git ranges.
For example, when a security release is available, Dependency-Track may not alert until the corresponding CVE or advisory appears in one of its vulnerability data sources. This can delay automated remediation even though a patched Mbed TLS version is already released.
Would the project consider publishing machine-readable advisories at release time, or is there already a preferred process for this?
Thanks!
Nils Schlegelmilch Development
Phone +49 7836 50-9883 E-Mail n.schlegelmilch@vega.commailto:n.schlegelmilch@vega.com [cid:image001.png@01DD1042.23E9BE30] VEGA Grieshaber KG | Am Hohenstein 113 | 77761 Schiltach | Germany
[cid:image002.png@01DD1042.23E9BE30]https://de.linkedin.com/company/vega-grieshaber-kg[cid:image003.png@01DD1042.23E9BE30]https://www.vega.com/[cid:image004.png@01DD1042.23E9BE30]https://www.youtube.com/vegagrieshaberkg
Unsere Datenschutzhinweise und somit auch die Informationen gem. Art. 13 DSGVO finden Sie im Internet unter www.vega.com/datenschutz
VEGA Grieshaber KG
Kommanditgesellschaft mit Sitz in Wolfach Registergericht: Freiburg HRA 680 687
Persönlich haftende Gesellschafter: Isabel Grieshaber Grieshaber Holding GmbH Sitz: Wolfach Registergericht: Freiburg HRB 680 271
Geschäftsführer: Isabel Grieshaber, Markus Kniesel
USt.-Id.-Nr.: DE143030199