dmcyber
commented
3 months ago Suggest updating step 2 on Process page to point here for helpful info on determining to who to report (instead of pointing to Partners list directly).
Open ElectricNroff opened 3 months ago
dmcyber
commented
3 months ago Suggest updating step 2 on Process page to point here for helpful info on determining to who to report (instead of pointing to Partners list directly).
https://github.com/CVEProject/cve-website/blob/f88bd40cd2ec8e3d41c7221c488c6cee9fae4cd5/src/views/About/Process.vue#L50
https://github.com/CVEProject/cve-website/blob/f88bd40cd2ec8e3d41c7221c488c6cee9fae4cd5/src/views/About/Process.vue#L111
This is difficult to understand, especially with the upcoming clarification to the meaning of "CVE Program participant." Perhaps both the text and graphic will need to be updated.
Step 3 might be referring to a pre-2020 scenario in which a CNA requests a CVE ID from MITRE, who processes the request manually.
As mentioned on the https://www.cve.org/ReportRequest/ReportRequestForNonCNAs page, anyone can request. They do not need to be a CVE Program participant.
In Step 5, it is unclear what "submits the details" means. Is this discussing CVE Record submission through CVE Services (automation), or a pre-submission process that envisions that the details are held by someone who is not a CNA? In the latter case, it could be reworded as "A person or organization provides the details." possibly.
Step 6 introduces the concept of "the responsible CNA," which is not previously mentioned. Maybe the "responsible CNA" is often the same as the "CVE Program participant" in Step 2? Today, it would be unusual if an individual or organization, when following this process, would benefit from reporting a vulnerability to a CVE Program participant who is not a CNA.