_content/doc/security/vuln: document the review_status field for vulns

Adds documentation explaining how to interpret the new
ecosystem_specific.review_status field.

Change-Id: I537c3ab9e205b7a5c840fd4b01197ed152f8ccc1
Reviewed-on: https://go-review.googlesource.com/c/website/+/586495
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

1 files changed, 16 insertions, 1 deletions

diff --git a/_content/doc/security/vuln/database.md b/_content/doc/security/vuln/database.md
index 88d8b31d..6b0767f2 100644
--- a/_content/doc/security/vuln/database.md
+++ b/_content/doc/security/vuln/database.md
@@ -189,11 +189,26 @@ array will have these two fields:
 - **goos**: a string array with the execution operating system where the symbols appear, if known
 - **goarch**: a string array with the architecture where the symbols appear, if known
 
-### database_specific.url
+### database_specific
+
+The `database_specific` field contains custom fields specific to the Go vulnerability database.
+
+#### database_specific.url
 
 The `database_specific.url` field is a string representing the fully-qualified
 URL of the Go vulnerability report, e.g, "https://pkg.go.dev/vuln/GO-2023-1621".
 
+#### database_specific.review_status
+
+The `database_specific.review_status` field is a string representing the review
+status of the vulnerability report. If not present, the report should be
+considered `REVIEWED`. The possible values are:
+
+- `UNREVIEWED`: The report was automatically generated based on another source, such as
+a CVE or GHSA. Its data may be limited and has not been verified by the Go team.
+- `REVIEWED`: The report originated from the Go team, or was generated based on an external source.
+A member of the Go team has reviewed the report, and where appropriate, added additional data.
+
 For information on other fields in the schema, refer to the [OSV spec](https://ossf.github.io/osv-schema).
 
 ## Examples