The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post.

Please use our LinkedIn page, or the CVE Request Web Form by selecting “Other” from the dropdown, to comment on the post below.

CNA Rules, Version 2.0 to Take Effect on January 1st

Comment on LinkedIn | Share this post

The policies and processes managing the CVE Numbering Authorities (CNAs) Program, known as the “CNA Rules,” have been revised with significant input from the CNA community. These revised rules, CVE Numbering Authorities (CNA) Rules, Version 2.0, will go into effect on January 1, 2018.

CNA Rules, Version 2.0, which is updated from Version 1.1, includes the following clarifications and improvements:

• Fixed a number of typos and reworded some phrasing for clarity.
• Clarified existing rules regarding communicating with other vendors or CNAs and the difference between CVE entries that are marked as disputed versus rejected.
• Defined additional terms, such as what it means for a vulnerability to be “public” and the definition of “hardware” within CVE and what hardware can receive CVE IDs.
• Set the CVE JSON format to be the preferred format for submitting CVE requests.
• Removed the CVE assignment requirement for Root CNAs, making it optional.
• A new rule indicating that CNAs must publish their CNA scope on their website as well as some other disclosure process information.

For detailed information about the changes, please see the issue tracker and change logs.

If you have any questions or comments about the revised CNA Rules document, please contact us via our CVE Request web form by selecting “Other” from the dropdown menu.

We look forward to hearing from you!