Change the issue resolution processes (Appendix E) to account for CNAs who violate the rules

[EvansJonathan]

GOAL: Incentivize proper behavior
CHANGE: Change the issue resolution processes (Appendix E) to account for CNAs who violate the rules
OUTCOME: Fewer rules violations

[kurtseifried]

define "proper" behavior first... CVEs? CVEs with details? CVEs with copies of testing exploit code?

[EvansJonathan]

Proper behavior is defined by the CNA rules, e.g. assign CVE IDs only in your scope of authority.

[dadinolfi]

The focus of this issue is the question "How should the CNA program handle a CNA that is consistently not fulfilling their obligations as a CNA?" This question isn't about occasional mistakes or misinterpretations, which are addressed currently in Appendix E. It focuses on situations where individual CNAs keep doing the wrong thing despite CVE's attempts to correct the behavior.

The CNA program is a voluntary one, but we have attempted to set some minimal requirements to keep the level of service and quality of product high. We prefer positive reinforcement and collaborative issue resolution. One reason for this is philosophy, where we want the program to be community-driven, transparent, and constructive.

Another reason is there are very few "sticks" that can be used to motivate a CNA to follow a different practice. Currently, censuring a CNA is limited to removal from the program, ignoring or rejecting their assignments, or limiting how many CVE IDs they are allocated at a time (forcing them to come to the Primary more often, which gives the Primary an opportunity to remind them of the processes they should be following).

These punitive responses are far from satisfying, though. They fly against our goals of getting CVE IDs assigned more quickly in a distributed manner. But they do help protect the quality of CVE content and protect the efficiencies our processes bring.

Beyond these three responses, are there other responses the CNA program and CVE can have to change the behavior of a CNA that continually refuses to follow the rules? We assume for this discussion that training and documentation are available and have been developed as much as reasonable to educate the community on what obligations and expectations are upon them. This question focuses on reactive responses, not proactive ones.

[ghost]

@dadinolfi this is one reason I'm encouraging the CVE assignments to be tied to actual people, and not some vague "FooCorp". People tend to do better work when it's publicly tied to them (witness Open Source, hard to hide your bad coding habits =).