The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post, or comment on a post by using our LinkedIn page or the CVE Request Web Form by selecting “Other” from the dropdown.

CNA Rules, Version 3.0 Now in Effect

Comment on LinkedIn | Share this post

Version 3.0 of the CVE Numbering Authority (CNA) Rules took effect on March 5, 2020. The CNA Rules are the policies and processes for managing the CNA Program, and were revised with significant input from the CNA community.

Version 3.0 was a major update of the CNA Rules. The revised document updates and refines the roles of Sub-CNAs, Root CNAs, and the Program Root CNA, while adding two new roles: Secretariat and CNA of Last Resort (CNA-LR). Assignment, communication, and administration rules are specified for each role. In addition, separate chapters specify the CVE ID Assignment Rules, which includes the CVE Program’s definition of a vulnerability; CVE Entry Requirements; the Appeals Process; Defining a CNA’s Scope; and a CNA Rules Update chapter with rules for updating the CNA Rules document. The appendixes focus on CVE Program Definitions, including CVE Entry and CVE ID states; CVE’s Terms of Use; the Process to Correct Assignment Issues or Update CVE Entries; and CVE’s Disclosure and Embargo Policies.

CNA Rules, Version 3.0, which was updated from Version 2.0, includes detailed information on the following:

• Introduction – CVE Numbering Authorities (CNAs), CNA Program Structure, Purpose and Goal of the CNA Rules, and Document Structure
• Sub-CNAs – CVE ID Management Rules, CVE Entry Management Rules, CNA Record Management Rules, and Administration Rules
• Root CNAs – Child CNA Management Rules, CNA-LR Management Rules, Escalated Issues Rules, CNA Recruitment Rules, and Administration Rules
• CNA of Last Resort (CNA-LR) – CVE ID Management Rules, CVE Entry Management Rules, CNA Record Management Rules, and Administration Rules
• Secretariat – CVE List Maintenance Rules, Infrastructure Maintenance Rules, and Administration Rules
• Program Root CNA – Program Root CNA Rules
• Assignment Rules – What is a Vulnerability?; How many Vulnerabilities?; CNA Scope; and Requirements for Assigning a CVE ID
• CVE Entry Requirements – CVE Entry Information Requirements, Prose Description Requirements, Reference Requirements, and Formatting
• Appeals Process
• Defining a CNA’s Scope
• CNA Rules Updates – Rules for Updating the CNA Rules
• Appendix A. Definitions – CVE States: CVE ID States and CVE Entry States
• Appendix B. Terms of Use
• Appendix C. Process to Correct Assignment Issues or Update CVE Entries – Dispute: CNA Rules Violations; Reject: A CVE ID Should Not Have Been Assigned; Merge: Multiple CVE IDs Assigned to One Vulnerability; Split: A Single CVE ID is Assigned when More than One is Required; and Dispute: Validity of the Vulnerability is Questioned
• Appendix D. Disclosure and Embargo Policies
• List of Acronyms

For details about the changes from v2.0 to v3.0, please see our “CNA Rules, Version 3.0 Coming Soon” blog article. To learn more about the CNA Program, and the business benefits of becoming a CNA, visit Why Become a CNA?

If you have any questions or comments about the new CNA Rules document, or how to become a CNA, please contact us via our CVE Request web form by selecting “Request information on the CVE Numbering Authority (CNA) Program” or “Other” from the dropdown menu.

We look forward to hearing from you!

Recent Posts

• Our CVE Story: Rapid7 (guest author)
• Process for Assigning CVE IDs to End-of-Life (EOL) Products
• CVE Program Report for Calendar Year Q2-2020
• Our CVE Story: Bringing Our ZDI Community to the CVE Community (guest author)
• CVE Program Report for Calendar Year Q1-2020
• More >>