I'm working on a project to map a tool's output to this list, so I can de-dup and collect detections across different tools into a single detection event.

However, not all of the tools have a direct mapping from their detection to this list. I could submit additional items here of course, and intend to do so as I discover them, but in the meantime this means I need some sort of identifier that I can use that won't be taken later.

I propose using an X prefix to any ID that means "locally assigned" so I can use these created temporary items, and if/when a public definition is added, change to refer to that instead.

How about forking the project and adding the new items there? later u could merge back.
(Hope i understood your requirements correctly)

I can do that, but I am worried that the temporary ID I assign could one day become a "real" ID prefix. I suppose I could use something longer than just a letter or two, or add an "X-" to it. I just wanted something that would ensure no conflict between my temporary IDs and the final, permanent one should it become accepted.

i suggest u use some high arbitrary id. You could then push the yamls as placeholders with state: draft. see https://github.com/pbom-dev/OSCAR/blob/main/content/docs/technique.md

Thanks.