Can CNAs publish vulnerability advisories lacking CVE IDs?

[zmanion]

Related to #9, we've observed "vendor" CNAs publishing advisories for vulnerabilities but lacking CVE IDs (nothing assigned by the CNA or another CNA, like a researcher or coordinator CNA).

The CVE Program tries not to dictate CNA (vendor or otherwise) vulnerabiltiy coordination, remediation, disclosure, and publication practices. CNAs are not required to fix vulnerabilities or publish advisories, and CNAs are to some extent not required to assign CVE IDs (although they may have a right of first refusal).

If a CNA publishes about a vulnerability, it seems reasonable to require that the CNA also assign and publish a CVE ID (or use a CVE ID assigned by another CNA). If the CNA does not, the burden falls on some other part of the CVE Program (likely a CNA-LR). A CNA close to (with appropriate scope for) a vulnerability, typically the vendor, is the least cost avoider, i.e., the least expensive way to produce a CVE ID assignment.

Should CNAs be required to assign (or use another assignment) for vulnerabilities the CNA publishes about? Should such a requirement be tied to the "vendor" CNA role?

[zmanion]

Examples:

https://www.synology.com/en-us/security/advisory/Synology_SA_25_03
(Synology publishes CVE Records 90 days after publishing an advisory)

https://www.drupal.org/sa-contrib-2025-001
https://www.drupal.org/sa-contrib-2025-007
(many Drupal advisories from 2025)

This is perhaps sufficiently covered by 4.2.1.2? In which case, the MITRE Root and CNA-LR need to act, or delegate to "another CNA with appropriate scope" which I should be able to help with.

4.2.1.2 For Publicly Disclosed Vulnerabilities, if the CNA with the most appropriate scope:

1. preemptively documents that it will not assign, or
2. responds within 72 hours that it will not assign, or
3. does not respond within 72 hours,

then an appropriate Root MUST make a Vulnerability determination. If the Root determines that one or more Vulnerabilities exist, the Root MUST direct a CNA-LR or another CNA with appropriate scope to assign as quickly as possible and no later than 72 hours after becoming aware of the first refusal. Ownership of the CVE Record MAY be transferred.

While it would at least be professionally courteous to contact the CNAs in question, their public disclosures happend well over 72 hours ago and the potential additional delay of days or weeks to communicate with them is just an additional cost to the CVE Program.

[zmanion]

Synology-SA-25:03 published on 2025-02-26, CVE-2025-1021 published on 2025-04-23, 55 days later.

SA-CONTRIB-2025-001 published on 2025-01-08, CVE-2025-31676 published on 2025-03-31.

SA-CONTRIB-2025-007 published on 2025-01-22, CVE-2025-31679 published on 2025-03-31.

[zmanion]

Delaying CVE publication is not permitted according to

4.5.1.4 CNAs MUST publish a CVE Record to the CVE List within 72 hours of Publicly Disclosing a CVE ID assigned by the CNA. If the CNA does not publish within 72 hours, then the CNA’s Root MAY direct the appropriate CNA-LR to publish a CVE Record for the assigned CVE ID. Ownership of the CVE Record MAY be transferred. See also 4.2.1.2.

A possible rule change would be to require enforcement:

If the CNA does not publish within 72 hours, then the CNA’s Root MUST direct the appropriate CNA-LR to publish a CVE Record.

It is antithetical to the mission of the CVE Program for CNAs to publish vulnerability advisories lacking CVE IDs. If a CNA fails to meet this basic requirement, the Program should step in.