Make OpenVEX extensible ?

[FrancoisLR]

As OpenVEX is intended to be a minimal VEX implementation, is there a plan to make it extensible to support additionnal cases without requiring to modify the core specification ?

Examples of such extensions includes :

• Modify severity following a mitigation Modify severity #31.
• Support other identifiers Product identifiers with CycloneDX #23.
• Support version ranges Version ranges in product_id/subcomponent_id #26.
• Support other status labels and status justifications.
• Indicate a targeted release for the fix of an "affected" product.
• Add proof/demonstrations of fixes.
• Include a third party acknowledgement/certification of the statement.
• Link a vulnerability reported by a specific vulnerability assessment tool.
• Have a structured mitigation field to describe several mitigation scenarios.
• Support multiple authors of a statement. That is the product manufacturer confirmed an affected product and a 3rd party researcher propose a mitigation.
• Support logical predicates for product and vulnerability matching.
• etc.

Such extensions could be expressed in a Meta OpenVEX format which when processed againsts an SBOM could generate appropriate OpenVEX document, given the extension specification, to be included in the SBOM.