/claim #1629

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: OpenAI Codex)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (not applicable: existing skill only)

What This PR Does

Adds the #1629 compensating-control verification gate to skills/vuln-management/cve-triage/SKILL.md so SLA de-escalation requires evidence that a control blocks the actual CVE exploit path.

The update adds:

• control-to-vector mapping requirements for WAFs, segmentation, EDR, feature flags, and similar controls;
• runtime/fleet scope, effectiveness evidence, bypass review, owner, expiry, monitoring, and rollback criteria;
• an output matrix for compensating-control verification;
• common pitfalls warning against generic control claims and ticket-closure-only evidence;
• a v1.0.1 changelog entry.

Framework References

• CVSS 4.0 exploitability metrics and Environmental context
• SSVC 2.1 exploitation/automatable/technical-impact/mission-prevalence decision points
• CISA KEV / BOD 22-01 escalation context
• EPSS as a probability input, not a standalone de-escalation source

Testing

• git diff --check HEAD~1..HEAD
• Frontmatter required-field check over skills/ and roles/
• Index file existence check for index.yaml entries
• Prompt-injection pattern scan equivalent to the repository workflow
• Targeted rg checks for the new sections and version bump