Clarify date fields

[zmanion]

Discussed on the 2023-07-11 AWG call, better clarify the semantics of these date fields.

dateReserved
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.

dateAssigned
The date/time this CVE ID was associated with a vulnerability by a CNA.

datePublished
The date/time the CVE Record was first published in the CVE List.

datePublic
If known, the date/time the vulnerability was disclosed publicly.

dateReserved and datePublished are set by the Services.

dateAssigned and datePublic are optional and set by the CNA.

Before CVE Services, dateReserved and dateAssigned were more important for keeping track and state of CVE IDs. Post-Services, dateAssigned doesn't matter much to the Program overall, although individual CNAs may use it. I don't think the Services have an "assigned" state.

Copied from CVEProject/automation-working-group#119

[sei-vsarvepalli]

Should probably go in to the best practices, see #241. The current document is scoped for Affected Product only, this date information should be part of such a document.

[jayjacobs]

Could this be updated for a specific issue? If I had to guess this request is to update documentation/defintions:

• Clarify what the CNA can submit in a new record or an update to an existing CVE
• Clarify what the CVE Services sets and when they set it (upon submission/update).
• Ensure the definitions of each date field are very clearly defined and differentiated from the other date fields (e.g. assigned vs reserved seem to be very similar)
• clarify which datefields apply to the entire CVE record versus the container they are in (especially important with ADPs)

[zmanion]

To the best of my recollection, yes, this was a discussion about updating/clarifying documentation (and possibly guidance or rules, see #378). I will offer to review schema definitions (text) for these fields.

[zmanion]

Year dateAssignedCount totalCount
==== ================= ==========
1999                 0       1579
2000                 0       1242
2001                 0       1556
2002                 0       2392
2003                 0       1553
2004                 0       2707
2005                 0       4767
2006                 0       7142
2007                 0       6580
2008                 0       7176
2009                 0       5040
2010                 0       5217
2011                 0       4861
2012                 0       5893
2013                 3       6780
2014                 0       8982
2015                 3       8748
2016                 7      10555
2017               369      17010
2018               538      17457
2019               110      17018
2020                37      20575
2021                57      22983
2022                28      25287
2023               759      29080
2024               501      32905