DefectDojo · valentijnscholten · Dec 8, 2025 · Nov 13, 2025 · Dec 3, 2025 · Dec 3, 2025
@@ -25,6 +25,19 @@ Any Findings associated with a Full Risk Acceptance will be set to **Inactive**,
 
 Generally, any Risk Acceptances should follow your internal security policy and be re\-examined at an appropriate time. As a result, Risk Acceptances also have expiration dates. Once a Risk Acceptance expires, any Findings will be set to Active again.
 
+### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances
+
+**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that aid in managing risk decisions at scale:
+
+* **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio.
+* **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to.
+
+**DefectDojo Open Source** implements Risk Acceptances at the Engagement level:
+
+* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Engagement.
+
+Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition.
+
 ### Add a new Full Risk Acceptance
 
 Risk Acceptances can be added to a Finding in two ways: