Colleagues, The CVE Program, Board members and CNA staff, have been working on rewriting the CVE Numbering Authority (CNA) Operational Rules Version 4.0<https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf> (PDF) that CNAs use to help them know how to assign CVE IDs. This work has been ongoing since mid-2022. The team devoted many hours to this important task. We wanted to create a sustainable set of rules that were well organized and would be able to exist in a more agile world so that small, important changes could be made without starting over again. The new rules went through extensive comment periods within the CVE Program and ending with a two-week period of public comments. The Board was required to vote whether to accept the new CNA Rules on April 24, 2024. A majority of Board members voted YES by the next day. There is a fundamental concept embedded throughout the rules, and also explicitly defined in section "4.2.1 First Refusal," which is:
The CNA with the most appropriate scope gets the first opportunity to assign. This is often the Supplier (vendor, developer) CNA. This CNA also gets the first opportunity to not assign. If the CNA does not assign, for any reason (including but not limited to EOL), then another CNA with appropriate scope can assign. For already Publicly Disclosed vulnerabilities, it is preferred that a CNA-LR assigns, to reduce the chances of duplicate assignments. Significant Changes There were many changes to the previous set of rules. Identified below are seemingly three of the more significant changes. 1. The rules are now agnostic to the type of technology: * 4.2.2.4 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, hybrid, artificial intelligence, machine learning) as the sole basis for determining assignment. 2. The CNA of Last Resort (CNA-LR) can assign if the CNA declines: * 4.2.2.1 CNAs SHOULD assign a CVE ID if: * the CNA has reasonable evidence to determine the existence of a Vulnerability (4.1), and. * the Vulnerability has been or is expected to be Publicly Disclosed, and * the CNA has appropriate scope (3.1). * The CNA still has discretion about what to assign for: * 4.2.2.2 CNAs SHOULD Publicly Disclose and assign a CVE ID if the Vulnerability: * has the potential to cause significant harm or, * requires action or risk assessment by parties other than the CNA. The Shorthand 1. These rules should work for whatever technology comes along; nothing is automatically out of bounds. This includes Cloud and AI/ML. 2. Every company could potentially have vulnerabilities in their products and should become a CNA so they can control the message. The CVE Program will not reach out to a company that is not a CNA to give them right of first refusal if a potential vulnerability is reported to the Program. 3. The CNA should lean on the side of assigning a CVE for a vulnerability regardless of the need for action by the customer if it is a sufficiently harmful and might go public. The CNA still gets to decide what "significant harm" means. Moving Forward Now that the new rules have been adopted, CNAs have a 90-day grace period, starting on May 9, 2024, to figure out how to change their processes to make any necessary adjustments to comply with the new rules. On August 8, 2024, the old rules go away and the new rules will be enforced. At this point the new rules will be the official CNA Rules Version 4.0<https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf> (PDF) used throughout the CVE Program. Register Today for the "CNA Rules v4.0 Q&A Webinar"! The CVE Program has scheduled a "CNA Rules v4.0 Q&A Webinar<https://events.gcc.teams.microsoft.com/event/d96f8b09-6c1b-4227-acff-0e6feaf2adcc@c620dc48-1d50-4952-8b39-df4d54d74d82> for CNA partners on June 5, 2024. CNAs may register for the webinar here<https://events.gcc.teams.microsoft.com/event/d96f8b09-6c1b-4227-acff-0e6feaf2adcc@c620dc48-1d50-4952-8b39-df4d54d74d82/registration>. If possible, CNAs should please submit questions in advance using this web form<https://forms.office.com/g/KDShHyZ197>. We look forward to seeing you there! Respectfully, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]