| Status | Final |
|---|---|
| Version | 1.2.0 |
| Approved | 2021-01-14 |
| Effective | 2021-01-14 |
This policy and procedure is enforceable by Roots and the Secretariat.
Active CNA participation is critical for the CVE Program to achieve its adoption, coverage, and time-to-populate goals. Active CNAs assign CVE IDs and publish CVE Records within a distinct, agreed upon, and documented scope (hereafter referred to as scope). By assigning CVE IDs and publishing CVE Records, CNAs expand CVE Program coverage and adoption, and are critical actors in federating CVE Program operations. Active CNAs may also participate in various working groups and discussions to advance CVE Program objectives.
Inactive CNAs may be problematic for the CVE Program because adoption and coverage may not be achieved within a scope, even though such a scope is assigned to a CNA. However, inactive CNAs may be inactive for legitimate reasons, such as no new vulnerabilities are identified within a scope and, once identified, normal assignment and publication activities are resumed. There are also illegitimate reasons for CNA inactivity, such as the CNA is no longer interested, properly resourced, or competent to participate in the CVE Program as a CNA. CNAs that are inactive for legitimate reasons may continue to participate in the CVE Program. CNAs that are inactive for illegitimate reasons may not continue to participate in the CVE Program, unless the reasons for inactivity are satisfactorily remediated.
Inactive CNAs are identified as those CNAs, over the preceding six-month period, that have not assigned CVE IDs or published CVE Records within a scope, and have not participated in any of the various working groups and discussions to advance CVE Program objectives.
Inactive CNAs must be identified by their Root CNA so that: 1) the reason(s) for inactivity are determined; and 2) appropriate next steps are taken.
-
Attempt to contact the CNA using all available contact information to determine the reason(s) for the inactivity and appropriate next steps; use the following message:
<CNA NAME/POC> Active participation in the CVE Program is necessary to retain CNA status. Our records indicate that is currently inactive (i.e., over the preceding six-month period, CNA has not assigned CVE IDs or publish CVE Records within a scope, and/or has not participated in various working groups and discussions to advance CVE Program objectives). Please let us know the reasons for the inactivity by <DATE plus 2 weeks>.
If contact is made within two weeks, follow the Reason for Inactivity instructions. If contact is not made, proceed to step 2.
-
Two weeks after taking step 1, attempt to contact the CNA again (replying to the email submission from step 1) using the following message:
<CNA NAME/POC> The CVE Program contacted you on to determine the reason for <CNA NAME’s> inactivity. Active participation in the CVE Program is necessary to maintain CNA status. Please let us know the reasons for the inactivity by <DATE plus 2 weeks>. We look forward to hearing from you soon.
If contact is made within two weeks, follow the Reason for Inactivity instructions. If contact is not made, proceed to step 3.
-
If contact is not made within two weeks of the step 2 communication, warn the CNA that it will be removed from the CVE Program within two weeks if they do not respond (replying to the email string from step 2); use the following statement:
<CNA NAME/POC> The CVE Program contacted you on to determine the reason for <CNA NAME’s> inactivity. Our records indicate that is currently inactive because . Active participation in the CVE Program is necessary to maintain CNA status. If the CVE Program does not hear from you by , your CNA status will be revoked, which means that will no longer be authorized to assign CVE IDs or populate CVE Records and will be removed from the CNA roster, CNA-specific communication, and applicable working groups.
Should your CNA status be revoked, you are eligible to reapply to become a CNA in the future, provided you complete the CNA onboarding process.
We look forward to hearing from you soon.
If contact is made within two weeks, follow the Reason for Inactivity instructions. If contact is not made, proceed to step 4
-
Two weeks after step 3, if contact is not made with the CNA, inform the CNA that its CNA status is hereby revoked respond (replying to the email string from step 3), using the following statement:
<CNA NAME/POC> The CVE Program contacted on to determine why is inactive within the CVE Program. Responses to those communications were not received. Per the last communication, sent on <ENTER DATE HERE AND ATTACH THE STEP 3 EMAIL COMMUNICATION TO THE EMAIL> CNA status is hereby revoked. This means that is no longer authorized to assign CVE IDs or publish CVE Records and has been removed from the CNA roster, CNA-specific communication, and applicable working groups.
<ENTER CNA NAME HERE> is eligible to reapply to become a CNA should the organization’s circumstances change. Should want to be a CNA in the future, please contact .
Thank you for past service to the CVE Program.
-
The next step is to follow the CVE Program’s CNA Removal Process to remove the organization as a CNA.
-
No longer wants to participate: Follow the CNA Removal Process.
-
Legitimate: Document the reason(s) for inactivity and notify the Secretariat, the other Roots, and the CVE Board.
-
Illegitimate: Document the reason(s) for inactivity and any corrective action that may be required. Notify the Secretariat, the other Roots, and the CVE Board.
-
Announce the revocation of the CNA’s status:
a. Send an email to the private CVE Board list.
-
Notify Web Admin so that the CNA is removed from the CNA list on the website (https://www.cve.org/PartnerInformation/ListofPartners).
-
Mark the CNA as inactive in the CVE Wiki.
-
Transition the CNA’s CVE IDs to another CNA:
a. Reject all of the CNA’s reserved but not public IDs.
b. Transfer responsibility to the appropriate CNA(s) for the remaining CVE IDs.
-
Revoke the CNA’s privileges to all systems.
a. Ask Content Team to mark CNA as inactive in the CPS.
b. Remove CNA from the CNA mailing list (Only do this after the revocation message is sent).
c. Ask the Content Team to remove the CNA from the authorized GitHub contributors.