diff --git a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md index 9746e864a81..b63365b475a 100644 --- a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md +++ b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md @@ -25,6 +25,20 @@ Any Findings associated with a Full Risk Acceptance will be set to **Inactive**, Generally, any Risk Acceptances should follow your internal security policy and be re\-examined at an appropriate time. As a result, Risk Acceptances also have expiration dates. Once a Risk Acceptance expires, any Findings will be set to Active again. +### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances + +**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that allow you to manage risk decisions at scale: + +* **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio. +* **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to. + +**DefectDojo Open Source** implements Risk Acceptances at the Product level: + +* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Product. +* **Asset-Level Control**: This approach provides granular control and ensures that risk decisions are made in the context of each specific asset or application. + +Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition. + ### Add a new Full Risk Acceptance Risk Acceptances can be added to a Finding in two ways: