CNA Rules, Version 3.0 Coming Soon

Comment on LinkedIn | Share this post

The policies and processes for the successful execution of the CVE Numbering Authorities (CNAs) Program, known as the “CNA Rules,” were revised with significant participation from the CNA community. Updates to the CVE Numbering Authorities (CNA) Rules, Version 3.0 document are currently being reviewed, and a specific publication date will be announced once they have been approved by the CVE Board.

The following clarifications and improvements have been made in the CNA Rules, Version 3.0, which was updated from Version 2.0:

• Updated the CVE Program’s definition of vulnerability.
• Moved the Assignment Rules from an appendix into the main document.
• Updated the CVE Entry Management Rules regarding when a CVE Entry with the details are not yet populated is considered public by the CVE Program.
• Specified the requirements for CVE ID management rules, CVE Entry management rules, CVE Record management rules, and CVE List Maintenance management rules for all CNAs.
• Clarified the roles, requirements, and responsibilities of parent CNAs (i.e., Root CNAs) and child CNAs (i.e., other Root CNAs, Sub-CNAs, CNAs of Last Resort).
• Added information regarding the role of CNAs of Last Resort (CNA-LR).
• Defined when and how an issue with a child CNA should be escalated to the child’s parent CNA.
• Added a requirement that all CNAs must provide public access to their vulnerability disclosure policy and security advisories.
• Added a new rule for defining a CNA’s scope.
• Clarified the roles of CVE Program Secretariat, CVE Program Root CNA, and CVE Program CNA of Last Resort.

Once published, if you have any questions or comments about the CVE Numbering Authorities (CNA) Rules, Version 3.0, please contact us via our CVE Request web form by selecting “Other” from the dropdown menu.

We look forward to hearing from you!