version: "1.0"
metadata:
  description: Relaxed internal/development policy
  tags:
    - internal
    - dev
rules:
  - name: Block KEV advisories
    tags: [kev]
    action: block

  - name: Warn medium severity
    severity: [Medium]
    environments: [internal]
    action: warn

  - name: Accept vendor VEX
    action:
      type: require_vex
      requireVex:
        vendors: [VendorX, VendorY]
        justifications:
          - component_not_present
          - vulnerable_code_not_present

  - name: Quiet low severity
    severity: [Low, Informational]
    action:
      type: ignore
      until: 2026-01-01T00:00:00Z
      justification: "Deferred to annual remediation cycle"