Documentation

CRIT — Cloud Resource Identifier Templates — is a machine-readable format for naming the specific cloud resources a CVE affects, alongside the lifecycle, fix-propagation, and shared-responsibility metadata that operators need to remediate it.

Where to start

• Spec overview — the v0.3.0 record schema in plain English.
• Vector strings — CVSS-style compact encoding for the classification fields, with full code → meaning tables.
• Variable system — the four template slot states (named, wildcard, empty, hardcoded) and producer selection rules.
• Resolution — how a consumer turns a template into a live identifier through dictionary + slot resolution.
• Provider dictionaries — the 30+ provider service catalogues that bind a (provider, service, resource_type) tuple to a template URL/ARN/locator format.
• Provider fix version — the discriminated provider_fix_version object, comparison operators, and per-provider version_type values.
• Detections — phase-tagged queries (pre_fix, exploitation, post_fix, misconfiguration), retention rules, and the pending-detection pattern.
• Exposure window — formal [W_start, W_end] computation with per-resource and channel-aware semantics.
• Conformance — producer + consumer MUSTs and SHOULDs, plus how to test them.
• Integrations (CVE 5.x, OSV) — how to embed CRIT in a CVE 5.x record’s ADP container or in OSV cloud:* ecosystems.
• ADP / x_crit integration — full mechanics for the CVE 5.x ADP path.
• Security considerations — the six classes of concern producers and consumers must account for.
• In-browser validator — paste a record, get instant validation. No data leaves your browser.

Status

Contributing

CRIT is developed in the open. Issues and PRs welcome at github.com/Vulnetix/ietf-crit-spec. For real-time discussion join the Vulnetix Discord.