diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto
index ddcfc3f7..97a28dab 100644
--- a/schema/bom-1.6.proto
+++ b/schema/bom-1.6.proto
@@ -888,7 +888,7 @@ message Vulnerability {
optional Source source = 3;
// Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
repeated VulnerabilityReference references = 4;
- // List of vulnerability ratings
+ // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.
repeated VulnerabilityRating ratings = 5;
// List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html)
repeated int32 cwes = 6;
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
index 8bc9d3d6..9aa94372 100644
--- a/schema/bom-1.6.schema.json
+++ b/schema/bom-1.6.schema.json
@@ -2681,7 +2681,7 @@
"ratings": {
"type": "array",
"title": "Ratings",
- "description": "List of vulnerability ratings",
+ "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.",
"items": {
"$ref": "#/definitions/rating"
}
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
index 847c5261..f4d6eb37 100644
--- a/schema/bom-1.6.xsd
+++ b/schema/bom-1.6.xsd
@@ -4218,7 +4218,7 @@ limitations under the License.
- List of vulnerability ratings.
+ List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.
diff --git a/schema/bom-1.7.proto b/schema/bom-1.7.proto
index 6def360f..ac905b93 100644
--- a/schema/bom-1.7.proto
+++ b/schema/bom-1.7.proto
@@ -990,7 +990,7 @@ message Vulnerability {
optional Source source = 3;
// Zero or more pointers to vulnerabilities that are the equivalent of the vulnerability specified. Oftentimes, the same vulnerability may exist in multiple sources of vulnerability intelligence but have different identifiers. References provide a way to correlate vulnerabilities across multiple sources of vulnerability intelligence.
repeated VulnerabilityReference references = 4;
- // List of vulnerability ratings
+ // List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.
repeated VulnerabilityRating ratings = 5;
// List of Common Weaknesses Enumerations (CWEs) codes that describe this vulnerability. For example, 399 (of https://cwe.mitre.org/data/definitions/399.html)
repeated int32 cwes = 6;
diff --git a/schema/bom-1.7.schema.json b/schema/bom-1.7.schema.json
index 785acacb..d9311c03 100644
--- a/schema/bom-1.7.schema.json
+++ b/schema/bom-1.7.schema.json
@@ -2841,7 +2841,7 @@
"ratings": {
"type": "array",
"title": "Ratings",
- "description": "List of vulnerability ratings",
+ "description": "List of vulnerability ratings. Consumers SHOULD use ratings and SHOULD NOT ignore them; source ratings may differ and aid prioritization.",
"items": {
"$ref": "#/definitions/rating"
}
diff --git a/schema/bom-1.7.xsd b/schema/bom-1.7.xsd
index deba3de2..4549d6fd 100644
--- a/schema/bom-1.7.xsd
+++ b/schema/bom-1.7.xsd
@@ -4461,7 +4461,7 @@ limitations under the License.
- List of vulnerability ratings.
+ List of vulnerability ratings. Consumers SHOULD consider ratings in prioritization decisions; source ratings may differ and aid prioritization.