Colleagues, The CVE Numbering Authority (CNA) Operational Rules Version 4.0<https://www.cve.org/ResourcesSupport/AllResources/CNARules> took effect today on August 8, 2024. The previous version, CNA Rules v3.0<https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v3.0.pdf>, has been deprecated. CNAs are now required to comply with the CNA Rules v4.0<https://www.cve.org/ResourcesSupport/AllResources/CNARules>.
After significant community participation and review, the CNA Rules v4.0<https://www.cve.org/ResourcesSupport/AllResources/CNARules> document was approved by the CVE Board<https://www.cve.org/ProgramOrganization/Board> on May 8, 2024, and published on the CVE website. CNAs were informed at that time that there would be a 90-day transition period to adjust their internal processes to integrate the new rules. That 90-day transition period ended on August 8, 2024. CNAs are now required to comply with the new rules. To assist CNAs<https://www.cve.org/ProgramOrganization/CNAs> with the transition to the new rules, the CVE Program hosted a “CNA Rules v4.0 Q&A Webinar<https://t.co/d3itxu9ffB>” on June 5, 2024, the video of which is available now on the CVE Program Channel on YouTube<https://www.youtube.com/channel/UCUHd2XFDsKH8kjMZQaSKpDQ/>. The webinar provided information to CNAs about ways the new rules might affect CNA processes in the short term, the benefits for CNAs moving forward, and the expected positive impact on the vulnerability management ecosystem. Many of the “Significant Changes” were also discussed in detail in prior announcements such as the “CNA Rules Version 4.0 Update and Transition<https://www.cve.org/Media/News/item/blog/2024/05/07/CNA-Rules-v4-0-Update-and-Transition>” blog and the webinar video<https://t.co/d3itxu9ffB>. The new and improved “CNA Rules, v4.0<https://www.cve.org/ResourcesSupport/AllResources/CNARules>” document is available here<https://www.cve.org/ResourcesSupport/AllResources/CNARules> on the CVE.ORG website. Respectfully, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]
