Automated discovery (determination) and assignment

zmanion / CVE

MIT License

3 stars 0 forks source link

Automated discovery (determination) and assignment #6

Open zmanion opened 11 months ago

zmanion commented 11 months ago

(from https://github.com/CVEProject/strategic-planning-working-group/issues/4)

Consider adding rules about how to handle automated vulnerability discovery (determination in the curent CNA Operational Rules revision) and assignment. Related:

https://cve.mitre.org/data/board/archives/2015-11/msg00010.html

https://github.com/ossf/wg-vulnerability-disclosures/issues/123

Specification: OpenSSF Compliant Automated Vulnerability Fix Campaign

User Stories

zmanion commented 11 months ago

The details matter, but automated vulnerabilit discovery (determination) may meet the requirement that for evidence of a vulnerability. Setting aside important vulnerability coordination issues, automated CVE ID reservation and record publication should be allowed. This has the potential to add "a lot" of CVE IDs to the corpus.