{"types":[{"type":"advisory","description":"Vulnerability publications — CVEs, vendor advisories, GHSAs, incident reports","long_description":"Publications about vulnerabilities — CVE records, GHSA advisories, vendor advisories, and incident reports (AIID, NHTSA, FDA adverse events). Both vuln advisories and incident reports answer 'this happened.'","namespace_count":56,"subtypes":[{"value":"incident","description":"Incident reports — publications documenting that an AI, automated, or computing system caused harm or behaved badly. Sources include AIID, AIAAIC, NHTSA SGO crash reports, and CA DMV autonomous-vehicle reports.","count":5}]},{"type":"capability","description":"Product security features — AWS encryption, CloudTrail, Azure RBAC","long_description":"Concrete product security features with configuration options, audit commands, and remediation instructions. Vendor-authoritative facts about what a product can do.","namespace_count":54,"subtypes":[]},{"type":"control","description":"Security requirements — NIST CSF, ISO 27001, CCM, CIS Benchmarks","long_description":"Normative security requirements — frameworks (NIST CSF, ISO 27001), control catalogs (CCM, AICM), benchmarks (CIS, HarmBench), and documentation standards (Model Cards). Defines what must be done or tested.","namespace_count":208,"subtypes":[]},{"type":"disclosure","description":"Vulnerability disclosure programs, policies, reporting channels","long_description":"Vulnerability disclosure programs — CVE Numbering Authorities, PSIRTs, bug bounty programs, security.txt entries, and policy documents. Tells researchers how and where to report.","namespace_count":486,"subtypes":[]},{"type":"entity","description":"Organizations, products, services","long_description":"Organizations (Microsoft, NIST, ISO), products (Office 365, AWS S3), and services. Identity records — cited as anchors by other types.","namespace_count":950,"subtypes":[]},{"type":"methodology","description":"Formal processes — scoring, mapping, risk assessment, threat modeling","long_description":"Formal processes with defined inputs, steps, and outputs — methodologies for scoring (CVSS, SSVC, EPSS), mapping (IR 8477, CTID), risk management (FAIR, ISO 27005), threat modeling (STRIDE, PASTA), and more.","namespace_count":23,"subtypes":[{"value":"mapping","description":"Methodologies that produce a mapping/crosswalk from one framework to another.","count":7},{"value":"scoring","description":"Methodologies that produce a score, prioritization decision, or rating.","count":7},{"value":"risk-management","description":"Methodologies for identifying, analyzing, evaluating, and treating risk.","count":6},{"value":"vulnerability-management","description":"Methodologies for receiving, handling, and disclosing vulnerabilities.","count":2},{"value":"threat-modeling","description":"Methodologies for systematically identifying threats against a system.","count":3},{"value":"security-testing","description":"Methodologies for conducting security tests and assessments.","count":4},{"value":"digital-forensics","description":"Methodologies for digital evidence collection, preservation, and analysis.","count":5},{"value":"incident-management","description":"Methodologies for detecting, handling, and analyzing security incidents.","count":3},{"value":"supply-chain","description":"Methodologies for software supply chain security.","count":2},{"value":"audit-certification","description":"Methodologies for conformity assessment and certification.","count":4},{"value":"classification","description":"Methodologies for classifying or labeling information for handling (e.g., TLP).","count":1}]},{"type":"reference","description":"Documents, research, identifier systems — arXiv, DOI, RFCs, CSA artifacts","long_description":"Documents, research papers, and identifier systems — arXiv, DOI, ISBN, RFCs, and CSA artifacts. Citation targets without normative force.","namespace_count":185,"subtypes":[{"value":"glossary","description":"A glossary document with addressable term-level subpaths. Entry is identity-only; term data lives in a separate dataset repository.","count":null}]},{"type":"regulation","description":"Laws and legal requirements — GDPR, HIPAA, PCI DSS","long_description":"Laws, directives, and binding legal requirements — GDPR, HIPAA, NIS2, PSD2, and national transpositions of EU directives.","namespace_count":49,"subtypes":[]},{"type":"ttp","description":"Adversary techniques — MITRE ATT&CK, ATLAS, CAPEC","long_description":"Tactics, techniques, and procedures used by adversaries — MITRE ATT&CK (enterprise, mobile, ICS), ATLAS (AI attacks), and CAPEC.","namespace_count":4,"subtypes":[]},{"type":"weakness","description":"Abstract flaw patterns — CWE, OWASP Top 10","long_description":"Abstract weakness patterns — Common Weakness Enumeration (CWE) and OWASP Top 10 categories. Not specific vulnerabilities; classes of flaws.","namespace_count":13,"subtypes":[]}]}