[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CNA Rules Announcement



Greetings,

 

On Monday, October 10th, all CNAs should be assigning CVE IDs based on the new CNA rules listed here:

 

<http://cveproject.github.io/docs/cna/CNA%20Rules%20v1.1.docx>

 

As you use these new rules, please feel free to share any feedback you might have with the rest of the CNA community and MITRE. We would like to understand what is working and what isn’t so that the rules evolve to meet the needs of the program and so that additional guidance and training can be developed based on what we collectively learn.  You can share your feedback through the cve-cna-list mailing list or directly to MITRE through the CVE Web Form.

 

<https://cveform.mitre.org/>

 

It was noted by an early reviewer that the Rules document does not provide explicit guidance on how to notify the primary or root CNA regarding publications. Appendix B provides the format but does not mention the method, and this will be corrected soon. There are currently two acceptable methods of sending requests for publication. The first would be to use the above web form and select the option “Notify CVE about a publication.” This option works well if you are publishing one or maybe a handful of CVE IDs, but may not work well if publishing a large amount of CVE IDs. The second method would be to create a file as outlined in Appendix B and to email that file to us. We prefer that you use the cve@mitre.org address at the moment, though this could change in the future.

 

We intend to collect and broadly share feedback over the next 3-6 months so that these rules remain effective and current.  If this time frame must be accelerated based on the conditions on the ground, then it will be based on the feedback we receive.

 

Thank you to those that offered feedback during the drafting of the document. We look forward to working with the CNAs to help get these rules implemented and to work out any kinks.

 

Please let us know if you think it isn’t time to implement these new rules.  We think it is based on the feedback to-date coupled with the board call yesterday.

 

 

Chris Coffin

The CVE Team


Page Last Updated or Reviewed: October 10, 2016