docs: Add Pro vs OSS comparison for cross-product risk acceptances (#13703)

skywalke34 · paulOsinski · Maffooch · web-flow · commit 6618b2b650ab · 2025-12-08T18:00:51.000+01:00
* docs: Add Pro vs OSS comparison for cross-product risk acceptances

* Update risk_acceptances.md - correct scope b/w Pro and OSS

Corrected risk acceptance scope at engagement level for OSS.

* Update docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md

---------

Co-authored-by: Paul Osinski &lt;42211303+paulOsinski@users.noreply.github.com&gt;
Co-authored-by: Cody Maffucci &lt;46459665+Maffooch@users.noreply.github.com&gt;
diff --git a/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md b/docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md
@@ -25,6 +25,19 @@ Any Findings associated with a Full Risk Acceptance will be set to **Inactive**,
 
 Generally, any Risk Acceptances should follow your internal security policy and be re\-examined at an appropriate time. As a result, Risk Acceptances also have expiration dates. Once a Risk Acceptance expires, any Findings will be set to Active again.
 
+### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances
+
+**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that aid in managing risk decisions at scale:
+
+* **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio.
+* **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to.
+
+**DefectDojo Open Source** implements Risk Acceptances at the Engagement level:
+
+* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Engagement.
+
+Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition.
+
 ### Add a new Full Risk Acceptance
 
 Risk Acceptances can be added to a Finding in two ways:
