[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TECH] CVE Entry Deprecation Process

This was discussed during various meetings in the past, and is posted
mostly for reference.  However, feedback is welcome.

- Steve

CVE Entry Deprecation Process
Version: 1.0

This document describes the process by which CVE entries are

While the CVE candidate review process is designed to minimize the
number of entries that are erroneously created, there is a risk that
an entry is improperly assigned.  For example, a duplicate entry may
be added, or an existing entry may need to be split into different
entries, or merged with other entries.  When such a change is needed,
a CVE entry may need to be deprecated.

The following process will be followed when an entry is slated for

1) The CVE Editor identifies which entries need to be deprecated.

   If there are duplicate entries, then the entry that was most
   recently added to the CVE list must be deprecated.  If the
   duplicates were added in the same version, then the least
   authoritative entry must be deprecated.  If the duplicates are
   equally authoritative, then the highest numbered entry must be

2) The Editor sends an email to the Editorial Board to identify those
   entries that have been targeted for deprecation.  For each entry,
   the reasons for deprecation will be noted.  The subject line will
   include the tag:

     [ENTRYDEP] Deprecate N REASON entries (Final DATE)

   The REASON for deprecation will be included on the subject line,
   such as "Duplicate," "Recast," and "Not-Real."  N is the number of
   entries to be deprecated.  DATE is the expected date on which a
   Final Decision will be made.

3) The Board is provided with at least 4 business days to evaluate the
   proposal, possibly longer.

4) If Editorial Board members disagree with the proposed deprecation
   for any entry, then they send feedback to the Editor or to the
   entire Editorial Board.  If they agree with the proposal, they may
   remain silent.

5) After the review period, the CVE Editor makes a Final Decision to
   deprecate the entry (barring any feedback by Board members).  The
   Final Decision must not occur before the DATE as specified in (2)
   above.  The decision is sent to the Editorial Board mailing list
   with the subject tag:

     [ENTRYFIN] Deprecate N REASON entries

6) After the Final Decision, the entry is modified in the next CVE

7) The description of the entry is modified to say that it has been
   deprecated, and it also provides the reason for deprecation.  The
   format of the description will be:

     DEPRECATED.  This entry has been deprecated.  <REASON>

   where <REASON> describes the reason for deprecation.

8) If the entry is a duplicate, or if it has been recastm then the
   correct CVE entry or candidate is identified in the reason.  All
   associated references and other descriptive text are removed.

9) The deprecated entry is listed in the CVE difference report for the
   new CVE version.

10) The deprecated entry remains in the CVE list, in case
   CVE-compatible tools still use the deprecated entry.

Page Last Updated or Reviewed: May 22, 2007