About/Process has confusing references to "CVE Program participant" #2920
Assignees
Labels
content update
Content update to the website
needs-discussion
Needs more discussion, either with TWG or internally
Comments
|
Suggest updating step 2 on Process page to point here for helpful info on determining to who to report (instead of pointing to Partners list directly). |
jdaigneau5
added
the
needs-discussion
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cve-website/src/views/About/Process.vue
Line 50 in f88bd40
cve-website/src/views/About/Process.vue
Line 111 in f88bd40
This is difficult to understand, especially with the upcoming clarification to the meaning of "CVE Program participant." Perhaps both the text and graphic will need to be updated.
Step 3 might be referring to a pre-2020 scenario in which a CNA requests a CVE ID from MITRE, who processes the request manually.
As mentioned on the https://www.cve.org/ReportRequest/ReportRequestForNonCNAs page, anyone can request. They do not need to be a CVE Program participant.
In Step 5, it is unclear what "submits the details" means. Is this discussing CVE Record submission through CVE Services (automation), or a pre-submission process that envisions that the details are held by someone who is not a CNA? In the latter case, it could be reworded as "A person or organization provides the details." possibly.
Step 6 introduces the concept of "the responsible CNA," which is not previously mentioned. Maybe the "responsible CNA" is often the same as the "CVE Program participant" in Step 2? Today, it would be unusual if an individual or organization, when following this process, would benefit from reporting a vulnerability to a CVE Program participant who is not a CNA.
The text was updated successfully, but these errors were encountered: