"A CNA MAY specify in its Scope Definition whether or not the CNA assigns CVE IDs for EOL Products.
If a CNA Scope Definition 1) specifies that the CNA does assign for EOL Products or 2) does not specify whether or not the CNA assigns for EOL Products, then vulnerabilities that may affect EOL products MUST be reported through the CNA’s vulnerability reporting and disclosure processes.
If a CNA Scope Definition 3) specifies that the CNA does not assign for EOL Products, then CVE assignment requests MUST be handled by an appropriate CNA-LR as described in the End-of-Life Vulnerability Assignment Process.
As the rules inconsistency is addressed in the new CNA Operational Rules, it should be removed from the EOL Vulnerability Assignment Process when new rules are published.
The 'Temporary Rules Inconsistency' (Section 3 of EOL Vulnerability Assignment Process) has been addressed in the new CNA Operational Rules. Section 3.1.11 "Scope Definitions for EOL Products" now reflects the suggested wording from the EOL Vulnerability Assignment Process:
"A CNA MAY specify in its Scope Definition whether or not the CNA assigns CVE IDs for EOL Products.
If a CNA Scope Definition 1) specifies that the CNA does assign for EOL Products or 2) does not specify whether or not the CNA assigns for EOL Products, then vulnerabilities that may affect EOL products MUST be reported through the CNA’s vulnerability reporting and disclosure processes.
If a CNA Scope Definition 3) specifies that the CNA does not assign for EOL Products, then CVE assignment requests MUST be handled by an appropriate CNA-LR as described in the End-of-Life Vulnerability Assignment Process.
As the rules inconsistency is addressed in the new CNA Operational Rules, it should be removed from the EOL Vulnerability Assignment Process when new rules are published.