SSVC
SSVC copied to clipboard
CERTCC
Decision process for whether coordinator assigns a CVE ID
The CNA rules allow for a fair amount of flexibility for what an individual stakeholder decides about assigning CVE IDs. There are some basic rules here: https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf, section 7.
Within these constraints, it would be useful for a stakeholder to be able to define their own decision about when they assign a CVE ID.
To demonstrate this, we can prototype a coordinator of last resort's decision process for how that stakeholder assigns a CVE ID. Result is yes (assign) or no (do not assign) or insist (that vendor change their mind).
Some first ideas on the elements in the decision are:
- Is Vendor a CNA (CNA rules Section 7.3 CNA Scope) (yes/no)
- Whether reporter or vendor will assign (yes/no)
- Multivendor (yes/no) (existing coordination decision point)
- This question only makes sense if the coordination tree resulted in coordinate
It would make sense to call assigning a CVE ID as an option for coordination activity, just clear this up in the text about the coordination tree.
Noting that a CVE assignment behavior tree logic is already described in Fig. 7.11 and Sec. 7.5.6 (p93) of Designing Vultron: A Protocol for Multi-Party Coordinated Vulnerability Disclosure.
Perhaps the answer is a brief summary and reference within SSVC to the Vultron work then?
I am all for efficiency and for integrating SSVC terminology and processes with Vultron.
Current relevant Vultron link:
https://certcc.github.io/Vultron/topics/behavior_logic/id_assignment_bt/