zmanion
commented
1 year ago Who holds the copyright to CVE Records? MITRE? DHS? Is "The CVE Program" a legal-enough entity to hold rights?
https://www.cve.org/Legal/TermsOfUse
Sample CNA rules language.
The CVE Program retains complete editorial and content control over CVE Records.
The Secretariat MAY make changes to any CVE Records without first consulting the assigning CNA.
The Secretariat MUST notify the CNA of any changes and SHOULD provide rationale for the changes.
In most cases, the Secretariat SHOULD contact the assigning CNA to discuss or request changes to CVE Records.
We very carefully and intentionally balance the CNA value proposition. Particularly for "vendor" CNAs, the CNA has significant influence (editorial control) over CVE Record content. This sometimes involves languages about "ownership." In return, the Program benefits greatly from additional and distributed resources and efficient volunteer effort, since "vendor" CNAs are the least cost avoider (most likely to know the most about the vulnerabilities affecting their products).
With this in mind, as part of the current CNA Operational Rules revision, consider adding rules that make it clear that the Program owns all the content and the Secretariat retains complete editorial and content control.
Personal opinion, we're dabbling in a lot of complexity (more JSON, ADPs) when a simpler solution may be to let the Secretariat just make changes when needed.
(from https://github.com/CVEProject/strategic-planning-working-group/issues/5)