Feedback about Security Vulnerability API

• Entries should have a technical ID for further processing the correct entries. At the moment I've used cve_id and atl_tracking_url to identify unique entries. In the example the same CVE has two BAM issues with different summaries. So the CVE itself is also not unique for a product
  Example:
  • https://api.atlassian.com/vuln-transparency/v1/cves?cve_ids=CVE-2023-28709&products=Bamboo+Data+Center%2CBamboo+Server
  • https://jira.atlassian.com/browse/CONFSERVER-91258
    Looking at issue history the CVE ID has changed from CVE-2023-22512 to CVE-2024-21679
    
• CVE details output format (https://developer.atlassian.com/platform/security-vulnerability-api/rest/api-group-cves/#api-group-cves) can the specified as html, plaintext and adf. Can someone update the API documentation?
  Example: https://api.atlassian.com/vuln-transparency/v1/cves?format=html&cve_ids=CVE-2022-1471
  returns "400_BAD_REQUEST invalid format: html".
  Also adf works only in small letters and plaintext works only as text.
• Jira Core Data Center isn't a product / license that exists as of today :)
• affected_products contains just the Marketing names. It would be great to also have the application / product keys propogated to a separate attribute that are used in the Marketplace API (https://developer.atlassian.com/platform/marketplace/rest/v2) instead of only human readable names.
• affected_products not always accurate looking at CVE-2023-42794 (https://jira.atlassian.com/browse/JSWSERVER-25400) if the problem itself is in Apache Tomcat, then Jira Core and Jira Service Management are also affected by this. Not sure how I would solve this because technically it doesn't matter... Server / Data Center is the same deployment package and Jira Software & Jira Service Management are technically still apps just bundled into a single deployment that runs on Jira "Core without bundled products". As JSW and JSM updates are distributed only with Jira Core, Jira Core should be always an affected application. But might be different again when e.g. the problem is in Assets, Advanced Roadmaps, Automation for Jira or any other bundled app.
• Getting the affected & fixed versions isn't perfect...
  Example: https://api.atlassian.com/vuln-transparency/v1/products?products=Bamboo%20Server%2CBamboo%20Data%20Center&cve_ids=CVE-2023-28709
  Remember I filtered for a specific CVE for a product...
  
  I'll have the feeling after looking at https://www.atlassian.com/trust/data-protection/vulnerabilities that it's mixed up with Confluence in the response also it wasn't requested?
• Having a vulnerability type attribute (e.g. overflow, memory corruption, SQL injection, etc) would be nice for further filtering

Little feedback for the portal itself:

• Ability to directly link to a vulnerability

And in general it would be great if there would be an initiative to also open this to app vendors maybe as part of the Marketplace Security Bug Bounty Program.

Kind Regards,
Tim