Dependency-Track Vulnerability Alert Gap: Critical Changes Go Unnotified

A critical notification gap exists within the Dependency-Track open-source security platform. When a known software vulnerability is updated—for instance, its severity is escalated from 'Unassigned' to 'Critical'—the system currently fails to alert users. This silence creates a dangerous blind spot, leaving security teams unaware of newly assessed high-risk threats within their software supply chain.

The issue, raised via a GitHub feature request, highlights a specific operational risk. The platform tracks vulnerabilities but does not generate alerts for post-creation modifications that directly impact risk scoring, such as changes to severity ratings or CPE (Common Platform Enumeration) identifiers. This means a vulnerability initially deemed low-priority could be silently reclassified as critical without triggering any notification, potentially delaying urgent remediation efforts.

To address this, the proposal calls for the creation of a new 'VULNERABILITY_CHANGED' notification group. The suggested implementation would notify users of any change that alters the calculated risk score and detail exactly what was modified. Further refinement could involve a separate 'VULNERABILITY_RISK_CHANGED' group for score-impacting changes only, allowing users to opt out of alerts for non-critical updates like description edits. This enhancement is crucial for maintaining real-time situational awareness in fast-moving software security environments where threat intelligence is constantly evolving.