3 min read · Jan 30, 2024
--
By Shannon Sabens, CVE Board member and Outreach and Communications Working Group (OCWG) Co-Chair
Several years ago, it was clear to the CVE Board that we would need a specific process for the inevitable disputes that may arise around vulnerability reporting. Potential scenarios may be obvious to many, but a basic example would be when a finder reports a potential vulnerability to a vendor/maintainer that agrees a bug exists but disagrees that it’s a potential security hole.
CVE Record Dispute Policy
By publishing the “CVE Record Dispute Policy” in 2022, the CVE Program has aimed to provide an easy pathway to affected parties for disputes resolution that moves up through a CVE Numbering Authority (CNA), Root, Top-Level Root (TL-Root), and Council of Roots (CoR) hierarchy. Note that a “Root” is an organization authorized within the CVE Program that is responsible, within a specific scope, for the recruitment, training, and governance of one or more CNAs. If you are picturing a hierarchy of CNAs that enable the program to scale, then you’ve got it. Roots help new CNAs onboard and support CNAs to follow the rules of the program. When needed, a dispute may be escalated to the CNA’s Root (and upward in the hierarchy, if needed) as detailed in the CVE Record Dispute Policy.
A flow chart of the CVE Record Dispute Policy process is below. A more complete description of the process is included in the policy document here.
DISPUTED Tag Could Be Temporary or Indefinite
It is not possible in all cases for the Root, TL-Root, or CoR to establish who may be correct in such disputes (though a decision by the CoR is final). In such cases, the Program may give the CVE Record a designation of “DISPUTED.”
A “DISPUTED” tag in a CVE Record could be for one (or more) of any number of reasons, for example, questions of accuracy, completeness, or whether the bug in question is, in fact, a security hole at all.
In these instances, it is the Board’s intent — per the CVE Record Dispute Policy — that the Program:
- Will not make a determination as to which party in the dispute is correct.
- Will allow the reader to be informed of a potential vulnerability by adding the DISPUTED tag to the CVE Record in question.
- Will enable the reader (by allowing the record to remain published with the DISPUTED tag) to decide whether the disputed report represents a threat to their organization’s assets.
Recently, we have observed in public discourse some assumptions by the community that the DISPUTED tag is an interim state. However, in some cases, the DISPUTED tag may remain in place indefinitely.
The complete details of the CVE Program’s disputes policy can be found here.
Please comment here on the CVE Blog on Medium, use our CVE Blog website feedback form, or use the CVE Request Web forms and select “Other” from the dropdown menu, to provide feedback about this article.