Require CVE ID in advisories, year portion of ID, grammar

[zmanion]

The current rules allow a CNA to not publish an advisory about a CVE ID they assigned, and also an advisory is not required to cite the relevant CVE ID(s).

[eslerm]

I am cautious about adding requirements which could become roadblocks to CNA communication.

However, given that there are some very low quality CNAs which are degrading the integrity of the CVE Program, I believe this is necessary.

Could 5.3.3.1 SHOULD NOT require registration or login also be changed to 5.3.3.1 MUST NOT require registration or login as well? Otherwise, I do not believe this change will have the intended effect.

In my personal opinion, this would help lower the noise that VulDB adds to the CVE Program.

eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ grep -rl "Permissions Required" | xargs grep -l "vuldb"|wc -l
1150
eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ grep -rl "Permissions Required" |wc -l
2032
eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ grep -rl "vuldb" |wc -l
1519
eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ cd ../2024/
eslerm@aeon:~/code/eslerm/nvd-mirror/2024$ grep -rl "Permissions Required" | xargs grep -l "vuldb"|wc -l
1694
eslerm@aeon:~/code/eslerm/nvd-mirror/2024$ grep -rl "Permissions Required" |wc -l
2147
eslerm@aeon:~/code/eslerm/nvd-mirror/2024$ grep -rl "vuldb" |wc -l
2915

[zmanion]

@ElectricNroff raised a good point, there are valid reasons for a CNA to assign CVE IDs and publish CVE Records but not also publish an advisory. Examples of this include a CNA LR and a coordinator CNA.

CNAs MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records.

Maybe the distinction is that supplier CNAs MUST publish advisories? "Advisory" should be defined broadly to include nearly any documentation about the vulnerability (and probably the fix) such as change logs, tickets, issues, release notes.

Or maybe the distinction is slightly broader than "supplier," something about "first public disclosure?" This would cover e.g., a research or coordinator CNA. CNA-LRs could be exempted.

[zmanion]

A partial CNA-LR exemption already exists:

2.4.3 [CNA LRs] MAY limit effort to optimize service given resource constraints, for example, by not notifying Suppliers who are not CNAs (4.3.2) and by not publishing advisories or other information about vulnerabilities (4.5.2.1) for assigned CVE IDs.

[zmanion]

Could 5.3.3.1 SHOULD NOT require registration or login also be changed to 5.3.3.1 MUST NOT require registration or login as well? Otherwise, I do not believe this change will have the intended effect.

@eslerm could you open a separate issue for this? I think it's worth discussing but would prefer to do so independently of this PR.

[zmanion]

At least one example where the lack of CVE ID referenced in a vendor advisory caused unnecessary confusion and cost:

https://security-portal.versa-networks.com/emailbulletins/6735a300415abb89e9a8a9d3

[amanion-cisa]

Another example, CNA publishes advisory, fixes vulnerability, unclear if they did not assign and publish CVE or just didn't reference it:

https://www.synology.com/en-us/security/advisory/Synology_SA_25_03

[amanion-cisa]

We may want to add rule, or guidance, that if a CNA fixes a vulnerability and optionally issues an advisory (both of which are public dislosure), the CNA MUST assign and publish CVE? This is another case where the type of CNA matters, i.e., a "supplier" CNA might be coverd, but CNA-LRs, research, coordinator, or other non-first-party CNAs may not be subject to the same rule.

[todb]

This PR curently does three things:

• Encourages CVE year-parts to be sensible with a SHOULD. Love it.
• Fixes a grammar issue (CNAs, not CNA). Also love it.
• Upgrades a SHOULD to a MUST for the publishing requirements of Supplier CNAs (and Supplier CNAs alone). Specifically, Supplier CNA advisories now MUST reference CVEs specifically and directly, rather than merely SHOULD reference specific CVEs.

This third thing also sounds great, because it's irritating for investigators to look at a supplier's release notes and see, "Fixes security issues" with no hint as to what security issues are fixed. This change, ideally, takes all the guesswork out of matching release notes and advisories to CVEs.

[zmanion]

https://www.cve.org/About/Process#CVERecordLifecycle (expand "CVE ID +") says:

The “Year” portion is the year that the CVE ID was reserved or the year the vulnerability was made public. The year portion is not used to indicate when the vulnerability was discovered.

So either the CNA Rule change should add "...was reserved or..." or the text on the cve.org Process page should be changed to remove "...was reserved...".

[MrSeccubus]

@ElectricNroff raised a good point, there are valid reasons for a CNA to assign CVE IDs and publish CVE Records but not also publish an advisory. Examples of this include a CNA LR and a coordinator CNA.

CNAs MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records.

Maybe the distinction is that supplier CNAs MUST publish advisories? "Advisory" should be defined broadly to include nearly any documentation about the vulnerability (and probably the fix) such as change logs, tickets, issues, release notes.

Or maybe the distinction is slightly broader than "supplier," something about "first public disclosure?" This would cover e.g., a research or coordinator CNA. CNA-LRs could be exempted.

This is also true for research CNAs, especially when a vendor is not willing or able to publish information or not cooperating at all.

[zmanion]

Sigh. More "year" guidance to synchronize, a pending change to the CVE Record Format:

The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique."

My individual and mildly preference is that the year part SHOULD be the year in which publicly disclosed, because this is what most external consumers will intuitively understand, and the SHOULD allows for other choices or vulnerability handling cases that cross calendar year boundaries.

[ElectricNroff]

Sigh. More "year" guidance to synchronize, a pending change to the CVE Record Format:

The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique."

My individual and mildly preference is that the year part SHOULD be the year in which publicly disclosed, because this is what most external consumers will intuitively understand, and the SHOULD allows for other choices or vulnerability handling cases that cross calendar year boundaries.

I believe this is best, but we may want to add "Once a vulnerability is Publicly Disclosed with a CVE ID, a CNA MUST NOT use this rule as the basis for changing the vulnerability's CVE ID to one that has better year alignment."

[zmanion]

I believe this is best, but we may want to add "Once a vulnerability is Publicly Disclosed with a CVE ID, a CNA MUST NOT use this rule as the basis for changing the vulnerability's CVE ID to one that has better year alignment."

4.2.21 CNAs SHOULD assign the year part of a CVE ID based on the calendar year in which the vulnerability was first publicly disclosed. CNAs MUST NOT, based on this rule, change CVE IDs that have already been Publicly Disclosed.

(c31b76a)

Noting that the text still might change if we haven't completely decided about:

• publicly disclosed
• first reserved
• first discovered

[zmanion]

For a future revision:

4.5.2.1 CNAs MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and for which no other public reference exists.

(Also confirm that the rules require CNAs to publish CVE Records for CVE IDs they assign.)

[ElectricNroff]

For a future revision:

4.5.2.1 CNAs MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and for which no other public reference exists.

(Also confirm that the rules require CNAs to publish CVE Records for CVE IDs they assign.)

I think this is better addressed by adding "This reference MAY be one created by the CNA." as the second sentence of 5.3.1. The wording you suggested seems to imply that (for CVE Records published after the rule goes into effect) a CNA will, or can, become aware of linkrot and MUST respond to the linkrot by publishing its own reference (e.g., an advisory). I think this is not a good idea because:

• when a "no other public reference exists" event occurs because of linkrot, it may be best for the CVE Record to point to an archived copy of a previously valid reference, not a new reference published by the CNA
• the exact mechanism for an archived reference to become an official public reference hasn't been decided - it's conceivable that this would be somehow automated and not require the CNA itself to complete a "MUST publish" action
• it's also possible that (after linkrot) the previously valid reference content is online at a different URL, and again it may be best to point to the updated URL, not a new reference published by the CNA

Also:

• there always can be a legitimate CNA or CNA-LR that never, under any circumstances, creates references on its own
• even if that CNA began publishing advisories, this would have essentially no value, because such a CNA generally does not have any information about the vulnerability beyond what is in the CVE Record

[zmanion]

From 2025-04-22 optional Board working session meeting:

4.2.21 CNAs SHOULD assign the year part of a CVE ID based on the calendar year in which the vulnerability was first Publicly Disclosed, the CVE Record was first published, or the CVE ID was reserved for the vulnerability in question. CNAs MUST NOT, based on this rule, change CVE IDs that have already been Publicly Disclosed.

CNAs MAY assign CVE IDs in one calendar year and publish the corresponding CVE Record in the next calendar year. This commonly happens around calendar year boundaries.