docs: Add Pro vs OSS comparison for cross-product risk acceptances

docs/content/en/working_with_findings/findings_workflows/risk_acceptances.md

@@ -25,6 +25,20 @@ Any Findings associated with a Full Risk Acceptance will be set to **Inactive**,
 
 Generally, any Risk Acceptances should follow your internal security policy and be re\-examined at an appropriate time. As a result, Risk Acceptances also have expiration dates. Once a Risk Acceptance expires, any Findings will be set to Active again.
 
+### DefectDojo Pro vs Open Source: Cross-Product Risk Acceptances
+
+**DefectDojo Pro** provides enhanced Risk Acceptance capabilities that allow you to manage risk decisions at scale:
+
+* **Cross-Product Risk Acceptances**: In DefectDojo Pro, you can apply a single Risk Acceptance across multiple Products. For example, if CVE-2024-1234 appears in 10 different products, you can create one Risk Acceptance that governs all instances of that CVE across your entire portfolio.
+* **Bulk CVE Management**: Search for all Findings with a specific CVE or vulnerability ID, then apply a Risk Acceptance to all instances simultaneously, regardless of which Product they belong to.
+
+**DefectDojo Open Source** implements Risk Acceptances at the Product level:
+
+* **Product-Scoped Risk Acceptances**: Risk Acceptances are restricted to individual Products. If CVE-2024-1234 appears in 10 different products, you need to create 10 separate Risk Acceptances—one for each Product.
+* **Asset-Level Control**: This approach provides granular control and ensures that risk decisions are made in the context of each specific asset or application.
+
+Both approaches follow the same Risk Acceptance workflow described below, but the scope differs based on your DefectDojo edition.
+
 ### Add a new Full Risk Acceptance
 
 Risk Acceptances can be added to a Finding in two ways: