zmanion
commented
1 month ago Closed zmanion closed 2 weeks ago
zmanion
commented
1 month ago 
jgamblin
commented
3 weeks ago Having a list of Reserved CVEs would allow me to quickly cross-reference CVE advisory pages I come across to determine whether they are in a "Reserved But Public" state or whether the CVE does not exist at all.
zmanion
commented
2 weeks ago From 2024-11-12 AWG meeting: The AWG consensus proposal is to continue current policy, convey that an ID is reserved and redact "owning_cna". The web site and API do this curently, figure out how to provide it via bulk download (GitHub repo).
Consider the "reserved" file format perhaps not being an entirely different schema (like REJECTED IDs) but the existing record schema with appropriate state, redacted CNA, and other fields blank (or removed?).
For RESERVED CVE IDs, pick one of:
Do not provide any response from the API and do not list or render any RESERVED CVE IDs. There is no point in conveying any public information about RESERVED CVE IDs.
Populate "owning_cna" in the RESERVED API response and in the web site rendering. For RBPs, everyone wants to know whose CVE ID it is. With authority to assign CVE IDs comes responsibility to publish them, especially for high-visibility/urgent vulnerabilities.
The current behavior confirms that a CVE ID is indeed RESERVED, but perhaps leaves more important questions than the information it provides.
I personally prefer option 2.
I vaguely recall reasons for this behavior, predating CVE Services and CNA federation, possibly related to not leaking information about block assignments, because someone could infer that a someone might be going to assign more CVE IDs?