Please fill in the following information:

Issue description: Feedback by learner : 

Name	Donald Sebastian Leung
Email	donaldsebleung@gmail.com

In the lab "vulnerability-review", the learner is instructed as follows:

"Defer the RHSA-2023:4706 CVE for 14 days. Set the rationale to In progress."

I assumed the instructions meant a CVE deferral request should be submitted and approved for the identified CVE, as otherwise the deferral request would not take effect. Upon grading, I was surprised to be informed that the grading script accepted only pending deferrals.

In an attempt to satisfy the grading script, I cancelled the approved CVE deferral and created a new one in pending state. Unfortunately, the grading script still marked the deliverable as FAIL, since the (now cancelled) original CVE deferral request appears first in the API response and the grading script returns immediately on the 1st deferral with a matching CVE ID.

This leads to the following issues and questions:

1. Since the grading script expects a pending, non-approved CVE deferral request, it should state this requirement explicitly in the instructions instead of just saying "defer the CVE". The latter could be mis-interpreted as going through the entire process and ensuring the deferral is in proper effect.

2. The grading script should allow the learner to fix their "mistake" allow a re-submit of the CVE deferral in PENDING state to PASS, instead of getting stuck on the 1st approved/denied/cancelled deferral and preventing the learner from completing the exercise.

3. In the companion exam EX430, how should the examinee interpret a similar objective "defer the vulnerability CVE-XXXX-XXXX"? In my opinion, having marks deducted for a similar misunderstanding would be rather unfortunate!

Steps to reproduce:

Workaround:

Expected result: