Consider "risk accepted" as a VEX status

[zmanion]

From a CISA VEX WG mailing list thread proposing a new VEX status:

2.7.1.5 Risk Accepted (“risk_accepted”)

The [author] of the VEX statement or other relevant parties have ruled this [vul_id] as presenting an insignificant risk, and will not further investigate the [vul_id] to assess whether it is “not_affected” or “affected” and will not further update the [status] of this [vul_id].

We believe this is a common practice in the Industry, for [vul_id]s of very low actual risk. This scenario is not satisfied by [status] being set to “not_affected” or by “under_investigation” as there will be no further investigation to find whether or not the product affected by the [vul_id], and the Status will not progress to any other value from this state (no further investigation will be performed).

[zmanion]

These elements may provide immediate capability to convey "risk accepted."

2.7.1.2.1 Action statement [action_statement]
For status “affected”, a VEX statement MUST include one [action_statement] that SHOULD
describe actions to remediate or mitigate [vul_id].

2.7.2 Status notes [status_notes]
[status_notes] MAY convey information about how [status] was determined and MAY reference
other VEX information.

[zmanion]

Part of the discussion separates status from response decision, i.e., status can be affected, under investigation, or unknown, independently of the decision to accept risk. Risk assessment/acceptance is usually specific to the VEX consumer.