Clarify date fields in JSON 5.0 schema #119
Comments
|
The proposed check is for the Services, on submission, if datePublic is in the future, reject the submission. |
|
Moved the bulk of this issue to CVEProject/cve-schema#292, the datePublic check is in #118, closing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Discussed on the 2023-07-11 AWG call, better clarify the semantics of these date fields.
dateReserved
The date/time this CVE ID was reserved in the CVE automation workgroup services system. Disclaimer: This date reflects when the CVE ID was reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
dateAssigned
The date/time this CVE ID was associated with a vulnerability by a CNA.
datePublished
The date/time the CVE Record was first published in the CVE List.
datePublic
If known, the date/time the vulnerability was disclosed publicly.
dateReserved and datePublished are set by the Services.
dateAssigned and datePublic are optional and set by the CNA.
Before CVE Services, dateReserved and dateAssigned were more important for keeping track and state of CVE IDs. Post-Services, dateAssigned doesn't matter much to the Program overall, although individual CNAs may use it. I don't think the Services have an "assigned" state.
Per #118, consider checking that datePublic is not later than $now, datePublic should never be later than datePublished.
The text was updated successfully, but these errors were encountered: