search

CERTCC / CERT-Guide-to-CVD

Content for the CERT Guide to Coordinated Vulnerability Disclosure
https://certcc.github.io/CERT-Guide-to-CVD/
Other
8 stars 4 forks source link

Update description of CNA program #17

Closed j--- closed 2 months ago

j--- commented 2 months ago

Is your feature request related to a problem? Please describe.

The text on https://vuls.cert.org/confluence/display/Wiki/CVE+IDs+and+How+to+Obtain+Them is outdated

How are CVE IDs Assigned? MITRE is the primary maintainer of CVE, and therefore the primary assigner for CVE IDs. When a new vulnerability is reported, MITRE researches the vulnerability to determine the details and if the vulnerability has previously been reported by someone else. If the vulnerability appears to be new, then a new CVE ID is assigned to the vulnerability for use in future discussion and communications.

However, MITRE has designated a small group of third party organizations as CVE Numbering Authorities (CNAs), meaning these organizations have limited authority on assigning CVE IDs without MITRE's involvement in some circumstances. CNAs are expected to follow the same assignment rules that MITRE follows; this sometimes means that CVE ID assignment decision does not match what you may expect. The CNAs then report the newly-assigned CVE IDs to MITRE, or publish an advisory with the CVE IDs, so that MITRE can include the CNA-assigned CVE IDs in the overall MITRE CVE dictionary.

Generally, large software vendors are CNAs for their own products; for example, Microsoft and Red Hat can assign CVE IDs to vulnerabilities in their own products, and only their own products. MITRE provides a list of CNAs.

The CERT/CC is a more general CNA; while we can assign CVE IDs for most products, we generally do not assign CVE IDs for vulnerabilities in products handled by other CNAs. We are also generally restricted to only assign CVE IDs to vulnerabilities we directly coordinate.

Describe the solution you'd like While MITRE is a Root CNA and a CNA of last resort, it no longer runs the CVE program. It acts as the Secretariat for the Board, but the board is independent and MITRE has transitioned formal operations of the CVE program to the board.

There are also now hundreds of CNAs and that number is growing rather quickly, I expect that is a material change since this text was written. So the tone should probably shift from "there are a small number of CNAs" to something more like there are a number of CNA's and the CVE program encourages organizations that regularly interact with CVE assignment to contact their Root CNA to become a CNA themselves.

Describe alternatives you've considered I think leaving it alone is probably not factually correct any longer; it was correct when written but the world has changed since then.

sei-vsarvepalli commented 2 months ago

Nice catch @j--- , We had already discussed this internally and did not create an issue as yet. The plan is entirely point to the CVE Program Guidelines and easy chart workflows shown by Mitre here for Non-CNA's. Should hopefully resolve that.

ahouseholder commented 2 months ago

We're most likely going to just drop the page entirely and just point to the CVE docs directly where appropriate