Increasing vulnerability transparency with Supplier-ADP

Since 2024, the Cybersecurity and Infrastructure Security Agency (CISA) has implemented the “Vulnrichment” program to enrich CVE data with additional information. The goal is to give additional context and help defenders in assessing the specific risk of these vulnerabilities. Each CVE from cve.org or github has an Authorized Data Publisher (ADP) container where this data is stored.

As a next level, Siemens PSIRT was advocating a further extension of this: The Supplier-ADP (SADP), which was piloted in the last months and finally introduced in April 2026. The SADP comes handy if a supplier like Siemens wants to add information to a vulnerability, which originates in an upstream dependency.

As an example, we can take CVE-2025-47809. This vulnerability originates in Wibu CodeMeter and has a CVSS score of 8.2. Siemens released two advisories for this, namely SSA-201595 and SSA-331739 to inform customers and vendors for security scanners that certain Siemens products use this component and inherit the vulnerability. However, some people do not follow Siemens Security Advisories directly and take their information e.g. from cve.org – and they can now be informed, too.

With the current SADP approach, we expect that vulnerability scanners can increase the “true positive” rates for affected Siemens products. In future, when Siemens also publishes “known not affected” products, we expect the number of “false positives” to drop. “False positives” occur when vulnerable components are installed in a system, but the vulnerability cannot be exploited.