Skip to content

"most freely available public reference" is not a defined term #44

Description

@jgamblin

5.3.1.2: "If multiple public references exist, CNAs MUST include the most freely available public reference in the CVE Record."

This phrase appears exactly once in the entire CNA Operational Rules and is not defined anywhere in the CVE Program Glossary. There's no way to check compliance with this MUST because there's nothing to compare against. What counts as "most freely available" when one reference requires no login but has a paywalled PDF, and another requires free registration but is otherwise open? CNAs have no consistent standard to follow, and there's no way to audit whether they're following it.

5.3.3.1 and 5.3.3.2 already give partial criteria nearby (SHOULD NOT require registration or login, SHOULD NOT impose restrictive terms of use), so the ingredients for a real definition already exist in the document, they're just not tied back to 5.3.1.2's MUST.

Proposed change

Define "most freely available" either in the Glossary or inline at 5.3.1.2, using the existing 5.3.3.1/5.3.3.2 criteria as the basis, something like: the reference that imposes the fewest access barriers (no login or registration required, no paywall, no restrictive terms of use). Alternatively, if the Program can't agree on a precise definition, downgrade 5.3.1.2 from MUST to SHOULD so the rule doesn't assert an obligation nobody can actually verify.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions