vulnrichment icon indicating copy to clipboard operation
vulnrichment copied to clipboard

Published 20 hours ago verified publisher icon cisagov

Consider how to handle updates from CNAs

Open zmanion opened this issue 9 months ago • 3 comments

Summary

How should CNA updates to CVE Records be handled, specifically updates made after enrichment?

Motivation and context

The current process does not add enriched data (e.g., CVSS, CWE, CPE) if that data is already provided by the CNA. But this sequence could occur:

  1. CNA publishes CVE Record, without (for example) CVSS
  2. CISA triages and choosed to enrich the Record, adding CVSS
  3. CNA updates CVE Record with CVSS

The CISA CVSS (2.) and CNA CVSS (3.) may not agree. Also, consumers may not readily understand the reason for any discrepancy.

Implementation notes

The CVE Record Format timeline element could be used to record events, conveying to consumers that the CNA update happened after enrichment. Another option could be to remove CISA-provided enriched data after the CNA provides it.

zmanion avatar May 17 '24 00:05 zmanion