Extend use cases for CVE ID Transfers

[bs37208]

Currently, CVE ID Transfers are only addressed in:

4.5.4.1 The ownership of a CVE ID and the corresponding CVE Record SHOULD NOT be transferred except in specific circumstances, primarily related to issues with scope or delays in assignment or publication, as determined by the appropriate Root. For example, if a CNA assigns a CVE ID and publishes a corresponding CVE Record, and at the time of assignment a different CNA had more appropriate scope, then the appropriate Root SHOULD transfer ownership of the CVE ID to the CNA with more appropriate scope

In addition to that, due to new CNAs joining over time, there may be increasing situations where a CNA wants or needs to get the CVE IDs in their scope being transferred from the time they haven’t yet been a CNA.

Currently, this seems to be handled and decided on a case by case basis, with the following restriction:

The program does not transfer IDs that are from 2016 and earlier. If the [new CNA] would like to add additional information via a reference they are more than welcome to submit an update reference request through the web form.

However, given the automation capabilities of the CVE services API, submission of updates through the web form may create more manual effort on all sides, compared to the one-time transfer of a well-defined set of CVE IDs.

Therefore, I propose to clarify this and document it in the CNA rules.

Proposal:

4.5.4.2 The ownership of CVE IDs that existed already before the date when the CNA with the most appropriate scope (usually the vendor) became a CNA SHOULD be transferred if both the owning and the new CNA agree. In this context, a bulk transfer of CVE IDs MAY only be accepted, if the target CNA submits all updates of the affected CVE records through the CVE services API.”

[zmanion]

Hi @bs37208 and sorry for the delay. The SPWG is floating a handful of rules updates and we'll add this one to the set.

[zmanion]

Just unwrapping @bs37208's proposed language here:

4.5.4.2 The ownership of CVE IDs that existed already before the date when the CNA with the most appropriate scope (usually the vendor) became a CNA SHOULD be transferred if both the owning and the new CNA agree. In this context, a bulk transfer of CVE IDs MAY only be accepted, if the target CNA submits all updates of the affected CVE records through the CVE services API.

[zmanion]

Proposing another case transfer user story.

A CNA, possibly always a CNA-LR, assigns and publishes based on a request from a non-CNA. The CNA(-LR) bases the Record on the request and probably also Public Disclosure, subject to the amount of expertise and effort the CNA(-LR) can allocate.

Another CNA, for whatever reason, analyzes the vulnerability in detail. This analysis may (or should) include contacting the parties involved in the original CVE ID assignment.

It should be permitted and relativey easy for the first CNA(-LR) to transfer the Record to the second CNA. One might argue that the second CNA has gained increased standing or "appropriate scope" by performing the analysis.

Alternatives: The second CNA could request/suggest updates to the initial CNA(-LR). The second CNA might have an ADP option.

When improved content and information is readily available, the CVE Program should make it easy to obtain that information and provide it in or via CVE Records.