The CVE Program Glossary defines:
Reserved but Public (RBP): A CVE ID in the "Reserved" state that is referenced in one or more public sources but for which a CVE Record has not been published.
This term does not appear anywhere in the CNA Operational Rules. Zero occurrences. Instead, 4.5.1.3, 4.5.1.4, 4.5.1.6, and 4.5.1.7 all key their publication deadlines off a different, undefined phrase: "Publicly Disclosing a CVE ID assigned by the CNA." Publicly Disclosed is itself a defined term, but it's defined for a Vulnerability ("the state in which non-trivial information about a vulnerability is publicly available"), not for a CVE ID. A CVE ID being referenced publicly and a Vulnerability being publicly disclosed are two different, separately-defined states in the same Glossary, and the rules conflate them into one undefined hybrid phrase.
This isn't academic. A reserved CVE ID getting referenced publicly (a bug tracker, a scanner output, a leaked reservation) before any vulnerability advisory exists is exactly the RBP scenario the Glossary already anticipated. As written, it's unclear whether that event starts the 4.5.1.3/4.5.1.4 clock at all, since those rules talk about disclosing the CVE ID, not about the ID becoming RBP.
Separately, 4.5.1.6 (third party discloses) is a SHOULD while 4.5.1.4 (CNA discloses) is a MUST at the same 72 hours. Whichever definition is used, the case where an ID is already circulating publicly through someone else's action currently has the weaker obligation, which is backwards from what you'd want.
Proposed changes
- Replace "Publicly Disclosing a CVE ID assigned by the CNA" in 4.5.1.3, 4.5.1.4, and 4.5.1.7 with the defined term RBP, or explicitly state how RBP and Publicly Disclosed relate to each other and which one starts each clock.
- Change 4.5.1.6 from SHOULD to MUST so CNA-caused and third-party-caused disclosure carry the same deadline.
This is a terminology and consistency fix using language the Program has already written and approved, not a new obligation.
The CVE Program Glossary defines:
This term does not appear anywhere in the CNA Operational Rules. Zero occurrences. Instead, 4.5.1.3, 4.5.1.4, 4.5.1.6, and 4.5.1.7 all key their publication deadlines off a different, undefined phrase: "Publicly Disclosing a CVE ID assigned by the CNA." Publicly Disclosed is itself a defined term, but it's defined for a Vulnerability ("the state in which non-trivial information about a vulnerability is publicly available"), not for a CVE ID. A CVE ID being referenced publicly and a Vulnerability being publicly disclosed are two different, separately-defined states in the same Glossary, and the rules conflate them into one undefined hybrid phrase.
This isn't academic. A reserved CVE ID getting referenced publicly (a bug tracker, a scanner output, a leaked reservation) before any vulnerability advisory exists is exactly the RBP scenario the Glossary already anticipated. As written, it's unclear whether that event starts the 4.5.1.3/4.5.1.4 clock at all, since those rules talk about disclosing the CVE ID, not about the ID becoming RBP.
Separately, 4.5.1.6 (third party discloses) is a SHOULD while 4.5.1.4 (CNA discloses) is a MUST at the same 72 hours. Whichever definition is used, the case where an ID is already circulating publicly through someone else's action currently has the weaker obligation, which is backwards from what you'd want.
Proposed changes
This is a terminology and consistency fix using language the Program has already written and approved, not a new obligation.