vulnerability feedback EN - edamametechnologies/threatmodels GitHub Wiki
Vulnerability Feedback Privacy Policy (EN)
By reporting a dismissed vulnerability or AI-agent divergence finding to EDAMAME, you agree to share the following information about that finding, as it appears in the dismissal dialog on this device:
- The finding domain (vulnerability or divergence) and its stable identifier
- The finding title, severity (LOW / HIGH / CRITICAL) and the deterministic check or alignment category that produced it
- The dismissal scope you chose (single finding, process-for-check, process lineage, process and material class, or agent / workspace pattern), the chosen severity ceiling, and the optional time-to-live
- The matcher fields used to scope the dismissal: process basename and executable path, parent process basename and executable path, parent script path, sensitive material classes (for example
ssh,aws_credentials), sensitive path classes (for exampledot_ssh), bucketed network destination class and port, AI agent type, agent instance identifier (a 12-character hash, not a personal name), and workspace root when the finding is workspace-scoped - The free-form reason recorded with the local dismissal rule, plus any optional note and email you fill in below
- The local OS name, OS version, and EDAMAME core version, so the team can correlate suppression patterns across platforms
This report is sent only when you explicitly check "Report to EDAMAME" in the dismissal dialog. The local dismissal rule is already applied on this device before this report is sent; reporting does not change local policy and does not enroll this device in any remote management. The report is treated as feedback intended to harden the EDAMAME detection engine, not as a remediation order.
If you do not agree with this policy, please do not check the "Report to EDAMAME" box. The local dismissal still applies.