Harness STO should provide context-aware vulnerability gating across all CVE-based scanners, not just basic severity-based OPA policies on critical and high.

Current severity-only policies cannot distinguish whether a finding is reachable, exploitable, transitive, newly updated by NVD, or has no available fix.

Harness STO should normalize and expose richer vulnerability context to both OPA policies and the STO UI, including:

Reachability status: reachable, unreachable, unknown

Exploitability and zero-day indicators

Direct vs transitive dependency status

Fix availability and fixed versions

NVD published and updated timestamps

Ability to configure OPA policy rules that account for this context, such as excluding unreachable or non-exploitable findings, treating transitive dependency findings differently, and applying grace periods for newly published or recently updated NVD findings.

The STO UI should clearly distinguish zero-day, unreachable, transitive, no-fix, and NVD-updated CVEs so developers can quickly understand why a vulnerability exists, how urgent it is, and what action is expected.

This would reduce unnecessary deployment blocks, save developer effort, and make vulnerability gates more meaningful and actionable.