5.3.1.2 says "If multiple public references exist, CNAs MUST include the most freely available public reference in the CVE Record." This phrase appears exactly once in the rules and isn't defined anywhere in the Glossary.
The related rule, 5.3.3.2, only gets partway there: "A CVE Record MUST have at least one public reference that... SHOULD NOT impose terms of use or service that restrict general-purpose use of the information." Two problems. First, it's a SHOULD, not a MUST, so a CNA can point to a paywalled or restrictively licensed reference and still be in compliance. Second, "should not restrict general-purpose use" is about access, not reuse rights. A reference can be free to read and still carry copyright or licensing terms that block the community from reusing the vulnerability information in tools, datasets, or research.
CVE Records exist to be built on top of. Every downstream project (CVE.icu, CNAScorecard, CVEForecast, NVD, EPSS, every vulnerability scanner) depends on the underlying vulnerability information being genuinely free for community use, not just viewable without a login.
Proposed change
Upgrade 5.3.3.2 from SHOULD to MUST, and make explicit that the public vulnerability data referenced in a CVE Record must be free for community use and reuse, not merely freely accessible. Something like: "MUST NOT impose terms of use, licensing, or access restrictions that prevent the CVE Program community from freely using and reusing the referenced vulnerability information." Tie 5.3.1.2's "most freely available" back to this same standard so both rules point at one clear, checkable definition instead of two vague, unrelated phrases.
5.3.1.2 says "If multiple public references exist, CNAs MUST include the most freely available public reference in the CVE Record." This phrase appears exactly once in the rules and isn't defined anywhere in the Glossary.
The related rule, 5.3.3.2, only gets partway there: "A CVE Record MUST have at least one public reference that... SHOULD NOT impose terms of use or service that restrict general-purpose use of the information." Two problems. First, it's a SHOULD, not a MUST, so a CNA can point to a paywalled or restrictively licensed reference and still be in compliance. Second, "should not restrict general-purpose use" is about access, not reuse rights. A reference can be free to read and still carry copyright or licensing terms that block the community from reusing the vulnerability information in tools, datasets, or research.
CVE Records exist to be built on top of. Every downstream project (CVE.icu, CNAScorecard, CVEForecast, NVD, EPSS, every vulnerability scanner) depends on the underlying vulnerability information being genuinely free for community use, not just viewable without a login.
Proposed change
Upgrade 5.3.3.2 from SHOULD to MUST, and make explicit that the public vulnerability data referenced in a CVE Record must be free for community use and reuse, not merely freely accessible. Something like: "MUST NOT impose terms of use, licensing, or access restrictions that prevent the CVE Program community from freely using and reusing the referenced vulnerability information." Tie 5.3.1.2's "most freely available" back to this same standard so both rules point at one clear, checkable definition instead of two vague, unrelated phrases.