Extending CVE with additional information not validating the CVE schema

[adulau]

We are currently developing vulnerability-lookup where the organisation operating an instance can extend a CVE with comments or additional information. We were wondering what would be the best option to add such extended meta-data in a CVE, we looked into adp but it seems bound to the fields defined in the schema. What would be the best option? We don't want to create a new external format to encapsulate the CVE entries too. We assume someone has already addressed this issue and are seeking the best strategy.

[zmanion]

Within the constraints that there are only two ADPs right now, and the guidance for additional ADPs is still being developed, it is possible for an ADP to provide data that is not inherently supported by the CNA container. For example, the CISA ADP provides SSVC and KEV using custom schema.

It is expected that an ADP using custom data/schema would need to provide the schema defintion and documenation.

[jayjacobs]

Did @zmanion address your question @adulau? Right now, only authorized entities can update the official CVE record.

Out of curiosity, what kind of information would you want to add to the record?