We have multiple CVE's that are impossible to patch (either because they're disputed or won't be patched), but we have to exempt them each time they pop up. Being able to exempt at the CVE ID level would help allow us to minimize the friction developers get.