You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per the new CNA rules https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf (effective August 8, 2024), 4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine learning) as the sole basis for determining assignment.
This means that there will be CVEs assigned to vulnerabilities in cloud and other new technologies in which there is no action expected by a vendor from the end user. To enable end users to differentiate between CSAF advisories containing CVE's in which an action is expected (like upgrading to the latest version manually) from the 'informational' CVE's in which there is no action expected, I propose the TC considers adding an optional field 'Action Required', which can take the value Yes/No.
The text was updated successfully, but these errors were encountered:
I agree with the no_action_required suggestion. This allows us to capture the majority of the cases of CSAF disclosures where action may be required by the consumer of the document/technology.
As per the new CNA rules https://www.cve.org/Resources/Roles/Cnas/CNA_Rules_v4.0.pdf (effective August 8, 2024),
4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine learning) as the sole basis for determining assignment.
This means that there will be CVEs assigned to vulnerabilities in cloud and other new technologies in which there is no action expected by a vendor from the end user. To enable end users to differentiate between CSAF advisories containing CVE's in which an action is expected (like upgrading to the latest version manually) from the 'informational' CVE's in which there is no action expected, I propose the TC considers adding an optional field 'Action Required', which can take the value Yes/No.
The text was updated successfully, but these errors were encountered: