AVE Agentic Vulnerability Enumeration
Schema v1.0.0

Record schema

Every field in an AVE record — type, required or optional, and meaning. Records validate against schema/ave-record.schema.json. Schema sets additionalProperties: false.

Identity & description

FieldTypeDescription
ave_idstringrequiredUnique identifier. Format AVE-YYYY-NNNNN. Immutable once published — deprecated via status, never renumbered or deleted.
schema_versionstringrequiredSchema version, e.g. 1.0.0.
statusenumrequiredactive | deprecated | draft.
publisheddate-timerequiredISO 8601 datetime of first publication.
last_updateddate-timeoptionalISO 8601 datetime of most recent update.
titlestringrequiredHuman-readable title, max 120 chars.
attack_classstringrequiredBehavioral category, e.g. external_instruction_fetch. Not a vulnerability_type string.
component_typeenumoptionalskill | mcp_server | plugin | agent | tool | other.
descriptionstringrequiredFull description of the vulnerability class.
behavioral_fingerprintstringrequiredWhat the component DOES that is dangerous. Behavioral, not a byte signature.
behavioral_vectorstring[]optionalTags summarising the attack path, e.g. supply-chain, external-fetch.
severityenumrequiredCRITICAL | HIGH | MEDIUM | LOW. CRITICAL implies aivss.aivss_score ≥ 9.0.
aivss_scorenumberoptionalTop-level shortcut to aivss.aivss_score (0–10). Mirrors the nested value.
cvss_base_vectorstringoptionalCVSS 4.0 base vector string.
mutation_countintegeroptionalNumber of distinct real-world mutations observed.

Framework mappings

owasp_mcp is required — every record needs at least one OWASP MCP anchor. The other three framework fields are optional but strongly recommended when applicable. Add owasp_mapping when the class maps to the Agentic AI Top 10. Add mitre_atlas_mapping when an ATLAS technique applies. Add nist_ai_rmf_mapping when relevant. A record without any ATLAS or NIST mapping is still valid; a record without OWASP MCP is not.

FieldTypeDescription
owasp_mcpstring[]requiredOWASP MCP Top 10. Format: MCPNN. Required — provides core OWASP grounding. ≥1.
owasp_mappingstring[]optionalOWASP Agentic AI Top 10. Format: ASINN. Optional — add when the class maps to the Agentic Top 10.
mitre_atlas_mappingstring[]optionalMITRE ATLAS technique IDs. Format: AML.Txxxx. Optional — add when an ATLAS technique applies. Omit if none exists yet.
nist_ai_rmf_mappingstring[]optionalNIST AI RMF mappings, e.g. MAP-1.5. Optional.
affected_platformsstring[]optionalAgent platforms known to be affected. Optional — fill as evidence accumulates.
affected_registriesstring[]optionalSkill/tool registries where this class has been observed. Optional.

Detection & remediation

indicators_of_compromise is required with at least one entry. A record with no IOCs gives defenders nothing actionable to act on. affected_platforms and affected_registries are optional — they grow over time as the class is observed in the wild, so records can be published before all affected surfaces are known.

FieldTypeDescription
indicators_of_compromisestring[]requiredObservable IOC strings. Required — at least one. Defenders need something actionable.
detection_methodologystringoptionalStep-by-step detection approach (static, semantic, sandbox). Optional.
remediationstringrequiredHow to mitigate or prevent the class.
kill_switch_activebooleanoptionalWhether a registry kill switch is active. Optional.

Provenance

references and researcher are both required. Every record must trace to a citable source and must be attributable to a person or team. These are the two fields a skeptic checks first.

FieldTypeDescription
referencesarrayrequiredPrimary sources: CVEs, papers, disclosures. Required ≥1. Each item: URI string or {tag, text, url} object.
researcherstringrequiredName of the researcher or team. Required — records must be attributable.
researcher_urlurioptionalURL for the researcher or team. Optional.

The aivss object — OWASP AIVSS v0.8

The aarf block records 10 agentic amplification factors that distinguish AIVSS from plain CVSS. Required sub-fields: cvss_base, aars, thm, mitigation_factor, aivss_score, spec_version.

FieldTypeDescription
cvss_basenumberrequired0–10.
aarfobjectoptional10 agentic amplification factors (0–1 each): autonomy, tool_use, multi_agent, non_determinism, self_modification, dynamic_identity, persistent_memory, natural_language_input, data_access, external_dependencies.
aarsnumberrequiredAgentic Amplification & Reachability Score (0–10).
thmnumberrequiredThreat & Heuristic Multiplier (0.5–1.5).
mitigation_factornumberrequired0–1.
aivss_scorenumberrequiredFinal composed score (0–10).
aivss_severityenumoptionalCRITICAL | HIGH | MEDIUM | LOW.
spec_versionconstrequiredAlways “0.8”.
owasp_mcp_mappingstring[]optionalMCP Top 10 cross-reference inside the AIVSS object.
notesstringoptionalFree-text scoring rationale.

Scanner evidence declarations (optional)

Scanner-facing defaults. The record declares baselines; the scanner assigns per-finding actuals. Never carry per-detection values like confidence in a record. See architecture for the declares-vs-assigns contract.

FieldTypeDescription
evidence_kind_defaultenumoptionaltool_description_pattern | config_schema | file_type_mismatch | behavioral_pattern | semantic_inference | multi_engine.
detection_stageenumoptionalstatic_detection | runtime_observed | runtime_drift_detected.
detection_layerenumoptionalcontent | server_card | registry_metadata | runtime | transport.
confidence_baselinenumberoptional0–1. Base confidence before FP pipeline adjustment.
evidence_basis_enginesstring[]optionalpattern | yara | semgrep | llm | sandbox | magika.
derivable_intostring[]optionalToxic-flow chain IDs this class participates in.
Never in a record

Per-detection runtime values belong only on the scanner finding: confidence, confidence_band, actual evidence_stage, confidence_reason, derived, line, match, suppressed.

15 required fields

ave_id · schema_version · status · published title · description · attack_class · severity · behavioral_fingerprint aivss · owasp_mcp indicators_of_compromise · remediation references · researcher

Example record

{ "ave_id": "AVE-2026-00001", "schema_version": "1.0.0", "status": "active", "published": "2026-04-01T09:00:00Z", "title": "Metamorphic payload via external config fetch", "attack_class": "Supply Chain - Metamorphic Payload", "component_type": "skill", "severity": "HIGH", "description": "A skill fetches instructions from an external URL at runtime...", "behavioral_fingerprint": "Component fetches and executes remote content, replacing its own instructions at runtime.", "behavioral_vector": ["supply-chain", "external-fetch", "metamorphic"], "aivss_score": 8.0, "owasp_mcp": ["MCP04", "MCP06"], // optional but strongly recommended "owasp_mapping": ["ASI01", "ASI04"], "mitre_atlas_mapping": ["AML.T0011", "AML.T0054"], "nist_ai_rmf_mapping": ["MAP-1.5", "MEASURE-2.5"], "affected_platforms": ["claude-code", "cursor", "windsurf"], "affected_registries": ["smithery.ai", "clawhub.io"], "indicators_of_compromise": [ "Component contains fetch() pointing to an external URL", "Network egress to unexpected domain during initialization" ], "detection_methodology": "1. Static scan. 2. Semantic analysis. 3. Behavioral sandbox.", "remediation": "Remove component. Block network egress. Audit agent actions.", "aivss": { "cvss_base": 8.5, "aars": 7.5, "thm": 1.0, "mitigation_factor": 1.0, "aivss_score": 8.0, "aivss_severity": "HIGH", "spec_version": "0.8", "aarf": { "autonomy": 1.0, "tool_use": 1.0, "self_modification": 1.0, "external_dependencies": 1.0, ... } }, "references": [{"tag": "Disclosure", "text": "Invariant Labs blog", "url": "https://..."}], "researcher": "Bawbel Security Research Team", "researcher_url": "https://bawbel.io", // scanner evidence declarations (optional) "confidence_baseline": 0.85, "detection_stage": "static_detection", "detection_layer": "content", "evidence_basis_engines": ["pattern", "semgrep", "yara"] }

Canonical schema: schema/ave-record.schema.json