OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
My understanding of this is that with regard to the ioc, we could either put it under the references list under the vulnerabilities property, or create a new ioc property under vulnerabilities. It may be nice to have a dedicated ioc property under the vulnerabilities property, but I don't think it's necessarily a thing we NEED to have. The summary attribute of the references property entries could indicate which ref is an ioc.
My understanding of this is that with regard to the ioc, we could either put it under the references list under the vulnerabilities property, or create a new ioc property under vulnerabilities. It may be nice to have a dedicated ioc property under the vulnerabilities property, but I don't think it's necessarily a thing we NEED to have. The summary attribute of the references property entries could indicate which ref is an ioc.
[...]
Originally posted by @wrideout in https://github.com/oasis-tcs/csaf/issues/186#issuecomment-879321541