CNA Rules Revision Prioritization Results

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

CNA Rules Revision Prioritization Results

Evans, Jonathan L.

Board Members,


Below is the results of the prioritization poll categorized by the working group that will be taking on the revision.  Unless there are objections, we will be distributing this list to the working groups so that they can get started.  The next step for the Board is to set the deadline for when the revisions need to be completed.


CNA Coordination Working Group Topics

  1. Update problems with assignments (reject, split, and merge processes) to include CNA violations
  2. Product End of Life scope and reporting requirements
  1. Create requirements for scope statements
  1. Requirements for disclosure policies

CVE Quality Working Group Topics

  1. Modify Counting Rules to support Cloud and SaaS
  2. Require min info in description
  1. Are references a requirement?
  1. CVE Record Tagging to include references and entries
  1. Define parameters for what responsiveness means
  2. Additional Required Fields
    • Reference tagging
    • Impact
    • Publication date
    • Vulnerability type
    • Must the fields match the description
  1. Support for experimental types of entries?

Strategic Planning Working Group Topics

  1. Should a location where the CNA will post its advisories be required?
  1. Requirements for non-vendor CNA candidates
  2. Should end of life products be covered by CVE
  1. When does RBP begin? (CNA published vs third-party publishes)
  2. Requirements for CNAs assigning a CVE ID to a vulnerability in another (non-CNA) vendor's product
  1. Require Root CNAs to designate a CNA-LR
  1. Change requirement to submit entries directly to the parent CNA

MITRE Topics

  1. Merge Appendix C (Counting Rules) into General Rules
  1. Revise accepted file formats
    • Each Root must document how to format the data when submitting entries
  1. Break up Problem Type requirement into "one of" requirement
  2. Remove CNA onboarding process (each Root will have their own)
    • Add requirement for Roots to publish their onboarding process



Jonathan Evans

CVE Numbering Authority (CNA) Coordinator

CVE Team