Colleagues, It is important we protect the integrity of the CVE Records. Changes made to existing CVE Records need to be limited to changes either correcting CVE-related information or providing better vulnerability related explanations.
The following guidelines must be followed in the short term and are actively being incorporated into the CVE Program Rules. The guidelines depicted below are subject to change and are expected to be enhanced in the future. Background Prior to October 2016, the CVE Program was based on a hub and spoke model and MITRE was the hub. In that capacity, MITRE wrote all CVE descriptions and published all CVE Records. While there were a few CVE Numbering Authorities (CNAs) before that date, it was not until early 2017 the program began to change from its initial model to the current federated CNA management model. Today, it is CNAs responsibility to write their own descriptions and publish their own records. The CVE Board has defined October 31, 2016, as the point in time where all CVE Records prior to that date are deemed historical CVE data. Modification of Historical CVE Data * CVE Records created prior to October 31, 2016, must not be modified by CNAs. This restriction will be implemented in CVE Services so that any attempt to change historical data will be blocked. * If your organization feels there is a legitimate need to make changes to relevant records, contact the CVE Secretariat and make your case. Due to CVE Board directions, the Secretariat most likely will not accept your request. However, if there are errors that need to be corrected, contact the Secretariat with the justification and suggested updates so the supplied information can be reviewed, and records updated if deemed appropriate. Modification to CNA CVE Data * CVE Records created after October 31, 2016, can be updated by the owning CNA. * CVE Descriptions are highly visible to the vulnerability management community that use CVE data in products, databases, and security advisories. When updating existing CVE Descriptions, adherence to the following guidelines is required: * Additional clarifying detail: Information that enhances understanding of the vulnerability is allowed and encouraged. * Errors: Where a description contains an error, it should be corrected. * Removing information: Removing information from a description that is not in error is not allowed. * Altering information: Changing information in a description to modify the perceived severity of a vulnerability is not allowed. Temporary CVE Record Modification Considerations * Description Length: The CVE Program is deprecating the CVE JSON 4.0 data format. The completion to only supporting CVE JSON 5.0 is planned for July 1, 2024. Until then, there is a limit on the CVE Record Description field to a maximum of 3999 characters. Be aware of this when developing descriptions. The Program is exploring an auto-truncate feature which will truncate descriptions to the maximum allowable character count of 3999. Until this feature is available, descriptions surpassing the character count will cause the submission to fail. * Existing External References: CNAs must preserve existing references. It is possible to unintentionally overwrite existing references through an update process. This is a short-term problem being addressed through the CVE Program ADP container when operational in the coming months. At that point existing references will be copied from the CNA container from all CVE Records into the CVE Program ADP container. However, until this capability is operational, CNAs must pay close attention to not accidentally overwrite existing references during an update process: * All references (initial and added) must be retained during any updates. * Broken historical links must be retained for historical reference. * When references added by the CNA are not correct (e.g., due to input errors, M&A activities, etc.) corrections are allowed. This document is also available as a PDF on the CVE website<https://www.cve.org/Resources/Roles/Cnas/CVE-Record-Management-Guidelines.pdf>. Questions? If you have any comments or concerns, please use the CVE Program Request forms<https://cveform.mitre.org/> and select “Other” from the dropdown menu. Respectfully, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]