Merge summary file into the Vulnerabilities files

[Bobsimonoff]

Currently the summary of each risk is in a single file that is separate from the actual risk details. This causes a disconnect when the risk is updated. Above description in the template for each risk I would like to see the summary section. Then at production time all the summary sections can be grabbed and put into a single file for PDF generation.

[GangGreenTemperTatum]

Hey @Bobsimonoff can you highlight the specific area you are referring to please, or a screenshot? TYIA

[Bobsimonoff]

These summaries only exist together in a single file. The individual risk documents do not contain the summaries.

[GangGreenTemperTatum]

Understood, thanks. Adding @rossja but IMO the idea is to keep the vulnerabilities concise and duplicating data or adding too much additional context can cause confusion, lack of focus and ultimately not deliver our intention.

[Bobsimonoff]

Here is my thinking when you say, "the idea is to keep the vulnerabilities concise and duplicating data or adding too much additional context can cause confusion" -- I agree. adding a 1 sentence summary is not additional context and the risks should be concise. However, when we have risks that look like this:

or this

I think an additional sentence at the top that says summary like the following greatly helps the reader:

Summary

Manipulating LLMs via crafted inputs can lead to unauthorized access, data breaches, and compromised decision-making.

Summary

Tampered training data can impair LLM models leading to responses that may compromise security, accuracy, or ethical behavior.

We do you have some very short risk descriptions and some long ones. Here are the word counts for the description sections of each LLM risk:

• LLM08: Excessive Agency - 155 words
• LLM02: Insecure Output Handling - 177 words
• LLM07: Insecure Plugin Design - 169 words
• LLM04: Model Denial of Service - 153 words
• LLM10: Model Theft - 174 words
• LLM09: Overreliance - 165 words
• LLM01: Prompt Injection - 312 words
• LLM06: Sensitive Information Disclosure - 241 words
• LLM05: Supply-Chain Vulnerabilities - 114 words
• LLM03: Training Data Poisoning - 338 words

The longest summary we have is 20 words.

Up to everyone else, it is just a thought to make things easier for maintenance and the reader.

[rossja]

i agree that putting the summary into the entries is likely a good idea, i already had that on my own list of questions to raise for v2, so this issue is perfect timing.