Decision process for whether coordinator assigns a CVE ID

j--- commented 1 year ago

The CNA rules allow for a fair amount of flexibility for what an individual stakeholder decides about assigning CVE IDs. There are some basic rules here: https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf, section 7.

Within these constraints, it would be useful for a stakeholder to be able to define their own decision about when they assign a CVE ID.

To demonstrate this, we can prototype a coordinator of last resort's decision process for how that stakeholder assigns a CVE ID. Result is yes (assign) or no (do not assign) or insist (that vendor change their mind).

Some first ideas on the elements in the decision are:

Is Vendor a CNA (CNA rules Section 7.3 CNA Scope) (yes/no)
Whether reporter or vendor will assign (yes/no)
Multivendor (yes/no) (existing coordination decision point)
This question only makes sense if the coordination tree resulted in coordinate

It would make sense to call assigning a CVE ID as an option for coordination activity, just clear this up in the text about the coordination tree.

ahouseholder commented 1 year ago

Noting that a CVE assignment behavior tree logic is already described in Fig. 7.11 and Sec. 7.5.6 (p93) of Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure.

j--- commented 1 year ago

Perhaps the answer is a brief summary and reference within SSVC to the Vultron work then?

cgyarbrough commented 1 year ago

I am all for efficiency and for integrating SSVC terminology and processes with Vultron.

ahouseholder commented 4 months ago

Current relevant Vultron link:

https://certcc.github.io/Vultron/topics/behavior_logic/id_assignment_bt/

CERTCC / SSVC

Decision process for whether coordinator assigns a CVE ID #202