{
  "title": "Coalition ESS CVE Structure",
  "description": "Field-level documentation for the Coalition Exploit Scoring System CVE record.",
  "type": "object",
  "fields": [
    {
      "name": "cve_id",
      "type": "string",
      "required": true,
      "description": "CVE identifier in the form CVE-YYYY-NNNN(+)."
    },
    {
      "name": "description",
      "type": "string",
      "required": false,
      "description": "Free-text vulnerability description."
    },
    {
      "name": "published_at",
      "type": "string (date-time)",
      "required": false,
      "description": "When the CVE was first published."
    },
    {
      "name": "modified_at",
      "type": "string (date-time)",
      "required": false,
      "description": "When the CVE record was last modified."
    },
    {
      "name": "ess",
      "type": "CessScoreSummary",
      "required": false,
      "description": "Coalition Exploit Scoring System score, percentile, and shift flag.",
      "fields": [
        {"name": "score", "type": "number (0..1)", "description": "ML-derived likelihood of exploitation in the next 30 days."},
        {"name": "percentile", "type": "number (0..1)", "description": "Score percentile across all scored CVEs."},
        {"name": "shifting", "type": "boolean", "description": "Whether the score has materially shifted recently."}
      ]
    },
    {
      "name": "epss",
      "type": "EpssScoreSummary",
      "required": false,
      "description": "FIRST EPSS score and percentile.",
      "fields": [
        {"name": "score", "type": "number (0..1)", "description": "EPSS probability of exploitation in the next 30 days."},
        {"name": "percentile", "type": "number (0..1)", "description": "EPSS score percentile."}
      ]
    },
    {
      "name": "cvss",
      "type": "CvssScoreSummary",
      "required": false,
      "description": "CVSS base score and severity.",
      "fields": [
        {"name": "version", "type": "string", "description": "CVSS version (3.1, 4.0)."},
        {"name": "base_score", "type": "number (0..10)", "description": "CVSS base score."},
        {"name": "severity", "type": "string", "description": "NONE | LOW | MEDIUM | HIGH | CRITICAL."},
        {"name": "vector", "type": "string", "description": "CVSS vector string."}
      ]
    },
    {
      "name": "exploits",
      "type": "ExploitsSummary",
      "required": false,
      "description": "Counts of public exploit references.",
      "fields": [
        {"name": "exploitdb_count", "type": "integer", "description": "Number of ExploitDB entries."},
        {"name": "metasploit_count", "type": "integer", "description": "Number of Metasploit modules."}
      ]
    },
    {
      "name": "mentions",
      "type": "MentionsSummary",
      "required": false,
      "description": "Counts of public mentions across feeds.",
      "fields": [
        {"name": "twitter_count", "type": "integer", "description": "Number of Twitter mentions."},
        {"name": "github_repository_count", "type": "integer", "description": "Number of GitHub repositories mentioning the CVE."}
      ]
    },
    {
      "name": "visibility",
      "type": "VisibilitySummary",
      "required": false,
      "description": "Where the CVE has been observed.",
      "fields": [
        {"name": "seen_on_cisa_kev", "type": "boolean", "description": "Present on CISA KEV."},
        {"name": "seen_on_vulncheck_kev", "type": "boolean", "description": "Present on VulnCheck KEV."},
        {"name": "seen_on_coalition_honeypots", "type": "boolean", "description": "Exploitation observed on Coalition honeypots."}
      ]
    }
  ]
}