ADR 0001: CIDR Dispute Resolution Scope
=======================================

* Status: Accepted
* Date: 2026-02-05

Context
-------

Users can dispute the assignment of vulnerability reports. When a report contains IPs belonging to a CIDR range, the user might suggest assigning the responsibility to a different contact person.

The system allows assigning both individual IPs and CIDR ranges to contact persons. However, a dispute is typically raised in the context of a *single scan report*, which may only contain a subset of IPs from a larger CIDR block.

Decision
--------

When resolving a dispute involves a CIDR range suggestion:

1.  The resolution **MUST ONLY** apply to the specific IPs found in the disputed report.
2.  The system **MUST NOT** transparently transfer the ownership of the entire CIDR block globally to the new contact person based solely on the dispute resolution action.

Rationale
---------

*   **Risk of Accidental Impact**: Moving a CIDR range (e.g., a `/16` or `/24` block) is a powerful action that affects ownership of potentially thousands of IPs. Doing so based on a dispute for a single report (which might only contain 1 or 2 IPs) is disproportionate and error-prone.
*   **Granularity**: Disputes are often about specific findings or specific hosts. Users might resort to selecting a CIDR for convenience without realizing the global implications.
*   **Workflow Separation**: Refactoring large network blocks should be a deliberate administrative action handled in the "Contact Persons" management interface, not a side effect of resolving a specific report dispute.

Consequences
------------

*   **Manual Overhead**: If a user *does* intend to transfer an entire CIDR, they will have to do it separately in the Contact Person management view.
*   **Data Integrity**: Prevents accidental "hijacking" or misassignment of network ranges.
*   **Clarity**: Users can confidently resolve disputes knowing they aren't affecting other unreported hosts.