ADR 0001: CIDR Dispute Resolution Scope

  • Status: Accepted

  • Date: 2026-02-05

Context

Users can dispute the assignment of vulnerability reports. When a report contains IPs belonging to a CIDR range, the user might suggest assigning the responsibility to a different contact person.

The system allows assigning both individual IPs and CIDR ranges to contact persons. However, a dispute is typically raised in the context of a single scan report, which may only contain a subset of IPs from a larger CIDR block.

Decision

When resolving a dispute involves a CIDR range suggestion:

  1. The resolution MUST ONLY apply to the specific IPs found in the disputed report.

  2. The system MUST NOT transparently transfer the ownership of the entire CIDR block globally to the new contact person based solely on the dispute resolution action.

Rationale

  • Risk of Accidental Impact: Moving a CIDR range (e.g., a /16 or /24 block) is a powerful action that affects ownership of potentially thousands of IPs. Doing so based on a dispute for a single report (which might only contain 1 or 2 IPs) is disproportionate and error-prone.

  • Granularity: Disputes are often about specific findings or specific hosts. Users might resort to selecting a CIDR for convenience without realizing the global implications.

  • Workflow Separation: Refactoring large network blocks should be a deliberate administrative action handled in the “Contact Persons” management interface, not a side effect of resolving a specific report dispute.

Consequences

  • Manual Overhead: If a user does intend to transfer an entire CIDR, they will have to do it separately in the Contact Person management view.

  • Data Integrity: Prevents accidental “hijacking” or misassignment of network ranges.

  • Clarity: Users can confidently resolve disputes knowing they aren’t affecting other unreported hosts.