Required activity, publishing CVE Records within a period of time?
Does the Program send heartbeat notifications?
Practice may be that CNAs are only removed if there is a complaint or specific reason (and perhaps also lack of publication)?
This may warrant explanation in the CNA Operational Rules revision.
zmanion
commented
1 year ago
Collecting several discussions, there are questions about how CNA membership is maintained.
https://github.com/ossf/wg-vulnerability-disclosures/pull/139
Required activity, publishing CVE Records within a period of time? Does the Program send heartbeat notifications? Practice may be that CNAs are only removed if there is a complaint or specific reason (and perhaps also lack of publication)?
This may warrant explanation in the CNA Operational Rules revision.