Colleagues,
The CVE Program, Board members and CNA staff, have been working on rewriting
the CVE Numbering Authority (CNA) Operational Rules Version
4.0<https://cve.mitre.rip/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf> (PDF) that
CNAs use to help them know how to assign CVE IDs. This work has been ongoing
since mid-2022.
The team devoted many hours to this important task. We wanted to create a
sustainable set of rules that were well organized and would be able to exist in
a more agile world so that small, important changes could be made without
starting over again. The new rules went through extensive comment periods
within the CVE Program and ending with a two-week period of public comments.
The Board was required to vote whether to accept the new CNA Rules on April 24,
2024. A majority of Board members voted YES by the next day.
There is a fundamental concept embedded throughout the rules, and also
explicitly defined in section "4.2.1 First Refusal," which is:
The CNA with the most appropriate scope gets the first opportunity to assign.
This is often the Supplier (vendor, developer) CNA. This CNA also gets the
first opportunity to not assign. If the CNA does not assign, for any reason
(including but not limited to EOL), then another CNA with appropriate scope can
assign. For already Publicly Disclosed vulnerabilities, it is preferred that a
CNA-LR assigns, to reduce the chances of duplicate assignments.
Significant Changes
There were many changes to the previous set of rules. Identified below are
seemingly three of the more significant changes.
1. The rules are now agnostic to the type of technology:
* 4.2.2.4 CNAs MUST NOT consider the type of technology (e.g., cloud,
on-premises, hybrid, artificial intelligence, machine learning) as the sole
basis for determining assignment.
2. The CNA of Last Resort (CNA-LR) can assign if the CNA declines:
* 4.2.2.1 CNAs SHOULD assign a CVE ID if:
* the CNA has reasonable evidence to determine the existence of a
Vulnerability (4.1), and.
* the Vulnerability has been or is expected to be Publicly Disclosed,
and
* the CNA has appropriate scope (3.1).
* The CNA still has discretion about what to assign for:
* 4.2.2.2 CNAs SHOULD Publicly Disclose and assign a CVE ID if the
Vulnerability:
* has the potential to cause significant harm or,
* requires action or risk assessment by parties other than the CNA.
The Shorthand
1. These rules should work for whatever technology comes along; nothing is
automatically out of bounds. This includes Cloud and AI/ML.
2. Every company could potentially have vulnerabilities in their products
and should become a CNA so they can control the message. The CVE Program will
not reach out to a company that is not a CNA to give them right of first
refusal if a potential vulnerability is reported to the Program.
3. The CNA should lean on the side of assigning a CVE for a vulnerability
regardless of the need for action by the customer if it is a sufficiently
harmful and might go public. The CNA still gets to decide what "significant
harm" means.
Moving Forward
Now that the new rules have been adopted, CNAs have a 90-day grace period,
starting on May 9, 2024, to figure out how to change their processes to make
any necessary adjustments to comply with the new rules. On August 8, 2024, the
old rules go away and the new rules will be enforced. At this point the new
rules will be the official CNA Rules Version
4.0<https://cve.mitre.rip/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf> (PDF) used
throughout the CVE Program.
Register Today for the "CNA Rules v4.0 Q&A Webinar"!
The CVE Program has scheduled a "CNA Rules v4.0 Q&A
Webinar<https://events.gcc.teams.microsoft.com/event/d96f8b09-6c1b-4227-acff-0e6feaf2adcc@c620dc48-1d50-4952-8b39-df4d54d74d82>
for CNA partners on June 5, 2024. CNAs may register for the webinar
here<https://events.gcc.teams.microsoft.com/event/d96f8b09-6c1b-4227-acff-0e6feaf2adcc@c620dc48-1d50-4952-8b39-df4d54d74d82/registration>.
If possible, CNAs should please submit questions in advance using this web
form<https://forms.office.com/g/KDShHyZ197>. We look forward to seeing you
there!
Respectfully,
CVE Program Secretariat
cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org>
[A picture containing text, clipart Description automatically generated]
