[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE REJECT State



Just realized that I didn’t provide an example for why something might change.

 

----------------------

The CVE Team and Board have recently revisited the use of CVE ID States (e.g., REJECT, RESERVED, DISPUTED), and are planning to make some necessary changes to them in the coming months. One of the changes recently discussed was in how the REJECT state is applied, and specifically whether a REJECT CVE ID can change states again at a later date.

 

As a recap, a CVE ID listed as "REJECT" is a CVE ID that is not accepted as a CVE ID. The reason a CVE ID is marked REJECT will most often be stated in the description of the CVE ID. Possible examples include it being a duplicate CVE ID, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason. As a rule, REJECT CVE IDs should be ignored. However, there may be cases where a CVE ID previously marked as REJECT might need to move back to RESERVED or a populated state (i.e., the details and references are published and included).

 

The CVE Team and Board agree that the REJECT state should NOT be considered permanent, and that changes to this CVE ID state should be allowed in the future. An example case could include a simple accidental REJECT, where a CVE ID was marked as REJECT by a CNA but was used publicly. In this case, it would create more confusion and additional work to REJECT the already used CVE ID, assign a new CVE ID, and also make sure that all public references are updated. The change discussed here would be to simply change the REJECT CVE ID and populate it with the details that were intended.

 

Both the Team and Board agree that some downstream consumers of CVE may be currently interpreting the REJECT state as permanent and that the CVE ID will never change in the future. It was also agreed that we should provide proper notice to the community that this change in use of the REJECT state should be provided.

 

This announcement serves as notice that beginning July 17, CVE IDs in the REJECT state can be changed to another state at any time as appropriate.

 

If you have any comments or concerns about this change, please send them to our CVE Request web form at https://cveform.mitre.org/ (select the Other request type).

 

Regards,

 

The CVE Team

 

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
Sent: Wednesday, June 14, 2017 9:53 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE REJECT State

 

All,

 

In the last meeting we discussed sending out a note to the community in regards to changing the use of the REJECT state. Here is a draft of what I had planned to send to the community via the news section of the web site, via the CVEAnnounce Twitter account, and CVE/CWE/CAPEC LinkedIn profile.

 

Please provide any comments or feedback by Friday the 16th.

 

Chris

 

----------------------

The CVE Team and Board have recently revisited the use of CVE States (e.g., REJECT, RESERVED, DISPUTED), and are planning to make some necessary changes to them in the coming months. One of the changes recently discussed was in how the REJECT state is applied, and specifically whether a REJECT CVE can change states again at a later date.

 

As a recap, a CVE ID listed as "REJECT" is a CVE ID that is not accepted as a CVE ID. The reason a CVE ID is marked REJECT will most often be stated in the description of the CVE ID. Possible examples include it being a duplicate CVE ID, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason. As a rule, REJECT CVE IDs should be ignored. However, there may be cases where a CVE previously marked as REJECT might need to move back to RESERVED or a populated state (i.e., the details and references are published and included).

 

The CVE Team and Board agree that the REJECT state should NOT be considered permanent, and that changes to this CVE state should be allowed in the future. Both the Team and Board agree that some downstream consumers of CVE may be currently interpreting the REJECT state as permanent and that the CVE will never change in the future. It was also agreed that we should provide proper notice to the community that this change in use of the REJECT state should be provided.

 

This announcement serves as notice that beginning July 17, CVEs in the REJECT state can be changed to another state at any time as appropriate.

 

If you have any comments or concerns about this change, please send them to our CVE Request web form at https://cveform.mitre.org/ (select the Other request type).

 

Regards,

 

The CVE Team

 


Page Last Updated or Reviewed: June 28, 2017