Below is the results of the prioritization poll categorized by the working group that will be taking on the revision. Unless there are objections, we will be distributing this list to the working groups so that they can get started. The
next step for the Board is to set the deadline for when the revisions need to be completed.
CNA Coordination Working Group Topics
Update problems with assignments (reject, split, and merge processes) to include CNA violations
Product End of Life scope and reporting requirements
Create requirements for scope statements
Requirements for disclosure policies
CVE Quality Working Group Topics
Modify Counting Rules to support Cloud and SaaS
Require min info in description
Are references a requirement?
CVE Record Tagging to include references and entries
Define parameters for what responsiveness means
Additional Required Fields
Must the fields match the description
Support for experimental types of entries?
Strategic Planning Working Group Topics
Should a location where the CNA will post its advisories be required?
Requirements for non-vendor CNA candidates
Should end of life products be covered by CVE
When does RBP begin? (CNA published vs third-party publishes)
Requirements for CNAs assigning a CVE ID to a vulnerability in another (non-CNA) vendor's product
Require Root CNAs to designate a CNA-LR
Change requirement to submit entries directly to the parent CNA
Merge Appendix C (Counting Rules) into General Rules
Revise accepted file formats
Each Root must document how to format the data when submitting entries
Break up Problem Type requirement into "one of" requirement
Remove CNA onboarding process (each Root will have their own)
Add requirement for Roots to publish their onboarding process