Colleagues,
As we prepare for CVE Services 2.x/JSON 5.0 roll-out in the coming weeks, there 
have been a number of questions about the various methods CNAs currently use to 
make CVE ID reservations and publish CVE Records and which methods will 
continue to be supported post deployment.
This bulletin clarifies the CVE Program specific methods that will be available 
to CNAs for reserving CVE IDs and submitting CVE Records after CVE 
Services/JSON 5.0 deployment. For non-CNAs, the existing method for requesting 
CVE IDs will not be affected.
Non-CNA Submission Methods
Non-CNAs will continue to contact the appropriate CNA to request CVE IDs, as 
described on the 
Report/Request<https://www.cve.org/ResourcesSupport/ReportRequest> page on the 
CVE Program website. The CNA that assigns the ID will publish the CVE Record.
In addition, the CVE Program Secretariat will continue to maintain the CVE 
Program Request web form<https://cveform.mitre.org/> for non-CNAs to submit 
vulnerability reports.
CNA Submission Methods
For CNAs, there will be five methods to reserve CVE IDs and submit CVE Records. 
Some methods will be retired over time while others will have constraints, but 
all five methods described below will be available for use immediately after 
CVE Services 2.x/JSON 5.0 is deployed.
CNAs that don't yet have a CVE Services account may contact their Root to 
receive account credentials ahead of deployment.


Method 1: The current CVE Program Secretariat Web Forms
This method allows CNAs to submit CVE Records in multiple formats: JSON 4.0, 
CSV, and flat file.
For a limited time, CNAs will continue to be able to request CVE ID 
Reservations and publish CVE Records as they do today using the CVE Program 
Secretariat CVE Program Request web forms<https://cveform.mitre.org/>. All 
currently supported input formats will continue to be supported, but this 
method will not process JSON 5.0 formatted input.
[This submission method will be retired 90 days after CVE Services/JSON 5.0 is 
deployed.]

Method 2: CVE List GitHub Submission Pilot
This method allows CNAs to submit CVE Records in JSON 4.0 using GitHub pull 
requests.
For a limited time, CNAs will continue to be able to use the CVE List GitHub 
Submission Pilot<https://github.com/CVEProject/cvelist> to submit CVE Records 
in JSON 4.0, which will then be upconverted to JSON 5.0 records.
[This submission method will be retired 90 days after CVE Services/JSON 5.0 is 
deployed.]

Method 3: Vulnogram
This method is an existing web-based tool for reserving CVE IDs and creating 
and submitting CVE Records that is currently in use by CNAs. JSON 4.0 will 
continue to be supported in this method for 90 days post deployment.
After CVE Services/JSON 5.0 is deployed, this method will only accept direct 
user input (i.e., no attached files) and will submit JSON 5.0 CVE Records 
directly to CVE Services on the CNA's behalf for publication on the CVE List.
To use this method, CNAs will need to present their CVE Services User ID and 
authentication token through 
Vulnogram<https://vulnogram.github.io/cve5/#editor> to identify/authenticate to 
CVE Services. New users, please request CVE Services credentials from your Root.

[Active submission method]

Method 4: Adopt an available CVE Services Client
CVE Services is implemented as a Client/Server architecture. This method 
enables CNAs to adopt an already existing client and install and execute it in 
their own environment to assign CVE IDs and create and submit CVE Records.
Three clients are currently available for use as part of CVE Services/JSON 5.0 
deployment:

  *   Vulnogram web-based interface<https://vulnogram.github.io/cve5/#editor> 
(described above as Method 3)
  *   Red Hat command line interface - 
cvelib<https://github.com/RedHatProductSecurity/cvelib>
  *   CERT/CC simple HTML interface - 
cveClient<https://github.com/CERTCC/cveClient>


[Active submission method]

Method 5: CNAs can develop their own clients
CNAs may develop their own CVE Services clients.  The CVE Program is currently 
preparing documentation to support that development, which will be announced in 
a future bulletin.
[Active submission method]

Comments or Concerns
Please respond to this email message or use the CVE Program Web 
Forms<https://cveform.mitre.org/> (select the "Other" form) to contact us with 
any comments or concerns.


Attachment: image001.emz
Description: image001.emz

Attachment: image003.emz
Description: image003.emz

Attachment: image005.emz
Description: image005.emz

Attachment: image007.emz
Description: image007.emz

Attachment: image018.emz
Description: image018.emz

Reply via email to