CNA Rules
All CVE Numbering Authorities (CNA) which participate in the CVE Program are bound to the official CNA Operational Rules.
Ruleset
CNA Rules v4.0 | effective since 2024-08-08 |
---|---|
CNA Rules v3.0 | effective since 2020-03-05 |
CNA Rules v2.0 | effective since 2018-01-01 |
CNA Rules v1.1 | effective since 2016-09-16 |
CVE Record Dispute Policy 1.0 | effective since 2022-09-22 |
The CNA ruleset is defined by MITRE and published online. CNAs are not allowed to ignore or break these rules. Therefore, there is a clear definition what is accepted as a vulnerability, what is eligible for the assignment of a CVE, how a disclosure has to happen, and how disputes must be resolved.
If somebody approaches a vulnerability submission and we are not able to assign a CVE, you will receive a reason for this CVE Rejection.
If you think we are not following the rules properly, please contact our CNA team to discuss your observations. If we do not come to an agreement, you are always able to escalate our matter to our Root-CNA, which is MITRE itself.
Webinar
Mise à jour: 09/09/2024 par VulDB Documentation Team