Colleagues, Phase 1 of the Soft Deployment of CVE Services 2.1<https://cveproject.github.io/automation-cve-services#services-overview>/CVE JSON 5.0<https://cveproject.github.io/automation-cve-services#json-overview> to deprecate CVE Services ID Reservation (IDR) 1.1 and release CVE Services - IDR 2.1<https://github.com/CVEProject/cve-services>, was completed on October 6, 2022.
Phase 2, Soft Deployment of CVE Services 2.1 – Record Submission and Upload Service (RSUS)<https://github.com/CVEProject/cve-services>, was completed on October 25, 2022. See Bulletin #10<https://cveproject.github.io/automation-transition#bulletin-number-10> and Bulletin #9<https://cveproject.github.io/automation-transition#bulletin-number-9> for the schedule and complete descriptions of the soft deploy phases. Overview With the completion of CVE Services 2.1 Soft Deployment, we enter a “transition period” for CNAs to begin adopting the CVE JSON 5.0 format. During the transition period the CVE Program will support the current CVE Record Submission workflows (i.e., the CVEList GitHub Pilot<https://github.com/CVEProject/cvelist> in CVE JSON 4.0 format and the CVE Program Request web forms<https://cveform.mitre.org/> submission process) while introducing a new submission process using CVE JSON 5.0 (using CVE Services). CNAs should begin transitioning their CVE Record management infrastructure to use CVE JSON 5.0 format using CVE Services. To begin the transition, CNAs should: 1. Check out the CVE Services Known Issues<https://cveproject.github.io/automation-cve-services-known-issues> page. This page will highlight some important issues that we know about and are working to correct. If you uncover what you might think be an important issue for us to address, you can post it on the CVE Services Slack Channel (which is monitored from 9:00 a.m. – 5:00 p.m. ET weekdays) or r by contacting the CVE Automation Working Group (AWG)<https://www.cve.org/ProgramOrganization/WorkingGroups#AutomationWorkingGroupAWG> at a...@cve-cwe-programs.groups.io<mailto:a...@cve-cwe-programs.groups.io>. 2. If you have not already done so, review your historical CVE Records that have been upconverted for you into CVE JSON 5.0 format here<https://github.com/CVEProject/cvelistV5>. (Note that this list is not the official CVE List but only a review list for you to consider as part of this transition period. The official CVE List will continue to be here<https://cve.mitre.org/cve/search_cve_list.html> and downloadable here<https://www.cve.org/Downloads> in the traditional formats, based on CVE JSON 4.0 records). 3. Make updates to your CVE Records using the new CVE Services if you find anomalies (see Getting Started with CVE Services<https://cveproject.github.io/automation-cve-services-getting-started>). 4. Begin planning your transition to the new CVE JSON 5.0 format and adoption of CVE Services. 5. Attending the virtual CVE Services Workshop<https://www.cve.org/Media/News/item/news/2022/08/30/CVE-Services-Workshop-for-CNAs> scheduled for November 2, 2022, from 10:00 a.m. – 2:00 p.m. EDT. 6. Report issues to the CVE Services Slack channel (or the web form), which will be monitored from 9:00 a.m. to 5:00 p.m. EDT for technical support. 7. Check out the new CVE Services Transition Frequently Asked Questions<https://cveproject.github.io/automation-cve-services-faqs> page. If you have a question that is not answered here, you can submit that question for inclusion using the CVE Program Request web forms<https://cveform.mitre.org/>. 8. Look for announcements of the next important CVE Services milestone (i.e., CVE Services “Hard Deploy” targeted for early 2023 which will introduce a “bulk download” capability for CVE JSON 5.0 records that will upgrade our current CVE List Download Architecture. (Note: there will be no CVE JSON 5.0 Bulk Download capability until this deployment). Reviewing What’s Available for ID Reservation, Record Submission, Record Viewing, and Downloads The table below provides a review of the options available to CNAs for reserving CVE IDs and submitting, viewing, and downloading CVE Records, via CVE Services automation or alternate methods, now that soft deployment was completed at the end of October 2022. User Registry is how CNAs manage their own CVE Services users. Post-October next steps, including advance notice for the eventual deprecation of the CVEList GitHub Pilot, will be announced in future bulletins. CVE ID Reservation/CVE Record Uploading/User Registry Operations/Search-Viewing Records/CVE Downloads Action Prior to October 6 Phase 1 Beginning October 6 Phase 2 Beginning October 25 Reserve CVE IDs IDR 1.1 CVE Request Web Form IDR 1.1 - DEPRECATED IDR 2.1 - AVAILABLE CVE Request Web Form IDR 2.10 - AVAILABLE CVE Request Web Form Submit CVE Records GitHub CVEList Pilot (JSON 4.0) CVE Request Web Form GitHub CVEList Pilot (JSON 4.0 Only) CVE Request Web Form RSUS 2.1 with CVE JSON 5.0 - AVAILABLE GitHub CVEList Pilot (JSON 4.0 Only) CVE Request Web Form User Registry (CNA manages its CVE Services users) IDR 1.1 IDR 1.1 - DEPRECATED IDR 2.1 0 - AVAILABLE IDR 2.1 - REQUIRED Searching-Viewing CVE Records ID LOOK UP: cve.org website (JSON 4.0) ID & KEYWORD SEARCH: cve.mitre.org legacy site (JSON 4.0) ID RECORD SEARCH: GitHub CVEList Pilot (JSON 4.0) ID LOOK UP: cve.org website (JSON 5.0) ID & KEYWORD SEARCH: cve.mitre.org legacy site (JSON 4.0) ID RECORD SEARCH: GitHub CVEList Pilot (JSON 4.0) ID LOOK UP: cve.org website (JSON 5.0) ID & KEYWORD SEARCH: cve.mitre.org legacy site (JSON 4.0) ID RECORD SEARCH: GitHub CVEList Pilot (JSON 4.0) Bulk Downloads NOTE: cve.org links-out to the cve.mitre.org downloads cve.org website (JSON 4.0) cve.mitre.org legacy site (JSON 4.0) GitHub CVEList Pilot (JSON 4.0) cve.org website (JSON 4.0) cve.mitre.org legacy site (JSON 4.0) GitHub CVEList Pilot (JSON 4.0) cve.org website (JSON 4.0) cve.mitre.org legacy site (JSON 4.0) GitHub CVEList Pilot (JSON 4.0) Questions? Please use the CVE Request Web Forms<https://cveform.mitre.org/> and select “Other” from the dropdown. Respectfully, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]