Yes, although you could also say that as the entity publishing a vulnerability as a CVE record the CNA *is* making that claim themselves. This breaks down when we talk about a CNA-LR. One solution could be to allow CNAs to publish without a reference if they meet the higher record requirements, but require CNA-LRs to publish with a reference always. Both scenarios could mechanically validated by the CVE submission service.
Regards, Dave -----Original Message----- From: Landfield, Kent (Enterprise) <kent_landfi...@mcafee.com> Sent: Wednesday, August 18, 2021 4:19 PM To: Art Manion <aman...@cert.org>; CVE Editorial Board Discussion <firstname.lastname@example.org> Subject: Re: public reference requirement Totally agree! Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद! -- Kent Landfield McAfee Enterprise +1.817.637.8026 kent_landfi...@mcafee.com On 8/18/21, 3:07 PM, "Art Manion" <aman...@cert.org> wrote: Towards the end of the discussion today, this came up: Participants in these sorts of large/distributed systems (the CVE Program) *must* have some real responsibility, aka skin in the game. So, the requirement to me is that the entity requesting or assigning or populating the CVE entry *must also be willing to make the same claim themselves.* This can be a git commit, a vendor advisory, a researcher blog post. More than the content, the fact that the claim is published by the CVE requester/assigner matters. Otherwise the system allows participants to push responsibility on the program that the program doesn't own -- the program catalogs vulnerabilities, the program doesn't own (i.e., discover, create, fix) vulnerabilities. - Art