Docs

Documentation

CRIT — Cloud Resource Identifier Templates — is a machine-readable format for naming the specific cloud resources a CVE affects, alongside the lifecycle, fix-propagation, and shared-responsibility metadata that operators need to remediate it.

Where to start

  • Spec overview — the v0.3.0 record schema in plain English.
  • Vector strings — CVSS-style compact encoding for the classification fields, with full code → meaning tables.
  • Variable system — the four template slot states (named, wildcard, empty, hardcoded) and producer selection rules.
  • Resolution — how a consumer turns a template into a live identifier through dictionary + slot resolution.
  • Provider dictionaries — the 30+ provider service catalogues that bind a (provider, service, resource_type) tuple to a template URL/ARN/locator format.
  • Provider fix version — the discriminated provider_fix_version object, comparison operators, and per-provider version_type values.
  • Detections — phase-tagged queries (pre_fix, exploitation, post_fix, misconfiguration), retention rules, and the pending-detection pattern.
  • Exposure window — formal [W_start, W_end] computation with per-resource and channel-aware semantics.
  • Conformance — producer + consumer MUSTs and SHOULDs, plus how to test them.
  • Integrations (CVE 5.x, OSV) — how to embed CRIT in a CVE 5.x record’s ADP container or in OSV cloud:* ecosystems.
  • ADP / x_crit integration — full mechanics for the CVE 5.x ADP path.
  • Security considerations — the six classes of concern producers and consumers must account for.
  • In-browser validator — paste a record, get instant validation. No data leaves your browser.

Status

ItemVersionStatus
Specificationdraft-vulnetix-crit-02Active development
JSON Schema (record)crit-record-v0.3.0.schema.jsonReleased
JSON Schema (dictionary)crit-dictionary-v0.3.0.schema.jsonReleased
Reference implementationgithub.com/Vulnetix/ietf-crit-spec @ v0.3.0Released

Contributing

CRIT is developed in the open. Issues and PRs welcome at github.com/Vulnetix/ietf-crit-spec. For real-time discussion join the Vulnetix Discord.

Spec Overview
A CRIT record is a JSON object that ties a single CVE to a single cloud resource template, with the lifecycle and …
Vector String
The CRIT vector string is a CVSS-style compact encoding of a record’s classification + identity fields. It is …
Provider Dictionaries
A dictionary binds a (provider, service, resource_type) tuple to: a template URL/ARN/locator with {slot} placeholders a …
ADP / x_crit Integration
CRIT records are designed to be embedded in CVE 5.x records — not shipped as a parallel feed. The CVE.org record format …
Variable System (Template Slots)
A CRIT template is a provider identifier with zero or more slots. Each slot is one of four normative states. The choice …
Exposure Window
The exposure window is the interval during which a specific cloud resource is in a vulnerable configuration. CRIT …
Resolution
How a consumer turns a CRIT template into a live provider identifier (or an inventory query). Two layers of resolution …
Provider Fix Version
Cloud resources don’t use package-style versioning. There’s no semver string to compare, no registry entry …
Detections
detections[] is an array of phase-tagged queries a consumer can deploy to find affected resources, exploitation …
Conformance
The spec defines conformance for two roles: producers (parties that author CRIT records) and consumers (tools that …
Integrations (CVE 5.x, OSV)
CRIT records are designed to embed in existing vulnerability record formats, not to ship as a parallel feed. Two …
Security Considerations
CRIT carries operational signal that informs remediation decisions. The same signal can mislead consumers if …