Skip to content

docs: Add Pro vs OSS comparison for cross-product risk acceptances #13703

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
+14 −0
Open

docs: Add Pro vs OSS comparison for cross-product risk acceptances #13703

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,20 @@ Any Findings associated with a Full Risk Acceptance will be set to **Inactive**,

Generally, any Risk Acceptances should follow your internal security policy and be re\-examined at an appropriate time. As a result, Risk Acceptances also have expiration dates. Once a Risk Acceptance expires, any Findings will be set to Active again.

### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances

**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that allow you to manage risk decisions at scale:

* **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio.
* **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to.

**DefectDojo Open Source** implements Risk Acceptances at the Product level:
Copy link
Member

@valentijnscholten valentijnscholten Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In OS the risk acceptances are at Engagement level.

Copy link
Contributor

@mtesauro mtesauro Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm the one that misspoke to @skywalke34 and told him it was Product level but, yeah, it's engagement level in Open Source.

Copy link
Contributor

@kiblik kiblik Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to extend it to the Product level, but I have received no feedback about it #12361 (comment)

So, do you agree to redo to the product level?

Copy link
Contributor

@Maffooch Maffooch Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to extend it to the Product level, but I have received no feedback about it #12361 (comment)

So, do you agree to redo to the product level?

We are going to keep risk acceptance at the engagement level in open source for the time being


* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Product.
* **Asset-Level Control**: This approach provides granular control and ensures that risk decisions are made in the context of each specific asset or application.

Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition.

### Add a new Full Risk Acceptance

Risk Acceptances can be added to a Finding in two ways:
Expand Down