Reconsider cloud assignment rules
zmanion opened this issue · 6 comments
Current cloud assignment rules:
7.4.4 CNAs MAY assign a CVE ID to a vulnerability if:
- The product or service is owned by the CNA,
- The product or service is not customer controlled, and
- The vulnerability requires customer or peer action to resolve.
7.4.5 CNAs MUST NOT assign a CVE ID to a vulnerability if the affected product(s) or service(s):
- Are not owned by the CNA, and
- Are not customer controlled.
7.4.6 CNAs MAY assign a CVE ID to a vulnerability if the affected product(s) or service(s):
- Are not owned by the CNA and
- Are customer controlled.
The current rules effectively make the clould provider the only organization permitted to assign CVE for cloud servcies owned by that provider. This creates a minor perverse incentive that could influence providers to not assign CVE IDs, for instance, when no user action is required.
It's great for security that a provider can fix a cloud vulnerability for all users instantly and that no user action is required. It should be possible for any CNA with appropriate a scope (e.g., a researcher or coordinator CNA) to assign for cloud vulnerabilities.
Cloud-only entries would be tagged as 'exclusively-hosted-service', allowing CVE consumes to filter or otherwise handle cloud IDs as desired.
It's possible that exclusively-hosted-service should be applied to product entries, not to entire CVE entries.
As of this comment, no CVE entries are tagged as 'exclusively-hosted-service' (or 'EXCLUSIVELY HOSTED SERVICE') and there is no public documentation.
These rules describe a process flow that ends with the service provider, and there is no apparent path for appeal to their CNA root. This is unique to cloud vulns, which effectively means that service providers can block CVE assignment. I'm pretty sure that's not the intent -- no single org should have the ability to unilaterally block a CVE assignment, in general.
If appeal is on the table, then this set of rules should reflect that.
I would suggest "The vulnerability requires customer or peer action to resolve." is badly worded, or needs to be added to. E.g. I may not be able to take corrective action but I can cancel my account and ask for my data to be removed. Does that count as customer action to resolve?
Status update: CNA Operational Rules are under revision, this issue will be discussed and addressed. Also a "cloud decision tree" discussion is underway in the Transition Working Group.
The CNA Operational Rules 4.0 (4.2.2, 4.3.2) no longer distinguish assignments for vulnerabilities in cloud services from assignments for any other vulnerabilities.