Idea to improve the JSON format of CVEs for automation

## **Idea to improve the JSON format of CVEs for automation** Hi everyone, As part of a school project, I’m working on automating the testing of CVEs (PoCs, vulnerable environments, automatic reproduction, etc.). While digging into the official JSON format, I’ve noticed two major issues: ### **1. SSVC is stored in `metrics.other`** I parsed over 300,000 CVE JSON files (taken from the official repository: [https://github.com/CVEProject/cvelistV5/tree/main/cves](https://github.com/CVEProject/cvelistV5/tree/main/cves)). The `metrics.other` field is essentially a dumping ground, and SSVC doesn’t really fit the definition of a “metric.” I propose moving SSVC into its own dedicated section, which would be more logical: ```json "ssvc": { "exploitation": "poc", "automatable": true, "technicalImpact": "total" } ``` ### **2. No dedicated place for PoCs / docker-compose resources** Right now, these links end up in `references`, mixed with blog posts, advisories, and patch notes. A dedicated section would make automation much easier: ```json "automation": { "environment": { "url": "https://github.com/.../docker-compose.yml" }, "poc": { "url": "https://github.com/.../poc.py" } } ``` --- ## **What do you think?** Would this kind of restructuring make CVE data more usable in automated pipelines? Any ideas, objections, or improvements? Thanks in advance for your feedback!