[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]




In the last meeting we discussed sending out a note to the community in regards to changing the use of the REJECT state. Here is a draft of what I had planned to send to the community via the news section of the web site, via the CVEAnnounce Twitter account, and CVE/CWE/CAPEC LinkedIn profile.


Please provide any comments or feedback by Friday the 16th.





The CVE Team and Board have recently revisited the use of CVE States (e.g., REJECT, RESERVED, DISPUTED), and are planning to make some necessary changes to them in the coming months. One of the changes recently discussed was in how the REJECT state is applied, and specifically whether a REJECT CVE can change states again at a later date.


As a recap, a CVE ID listed as "REJECT" is a CVE ID that is not accepted as a CVE ID. The reason a CVE ID is marked REJECT will most often be stated in the description of the CVE ID. Possible examples include it being a duplicate CVE ID, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason. As a rule, REJECT CVE IDs should be ignored. However, there may be cases where a CVE previously marked as REJECT might need to move back to RESERVED or a populated state (i.e., the details and references are published and included).


The CVE Team and Board agree that the REJECT state should NOT be considered permanent, and that changes to this CVE state should be allowed in the future. Both the Team and Board agree that some downstream consumers of CVE may be currently interpreting the REJECT state as permanent and that the CVE will never change in the future. It was also agreed that we should provide proper notice to the community that this change in use of the REJECT state should be provided.


This announcement serves as notice that beginning July 17, CVEs in the REJECT state can be changed to another state at any time as appropriate.


If you have any comments or concerns about this change, please send them to our CVE Request web form at https://cveform.mitre.org/ (select the Other request type).




The CVE Team


Page Last Updated or Reviewed: June 14, 2017