Skip to content

Commit

Permalink
Merge pull request #139 from sethmlarson/patch-1
Browse files Browse the repository at this point in the history
RFC: Becoming a CNA as an Open Source organization or project
  • Loading branch information
SecurityCRob authored Nov 2, 2023
2 parents 95a98cb + 8c956cf commit 55ac215
Showing 1 changed file with 221 additions and 0 deletions.
221 changes: 221 additions & 0 deletions docs/guides/becoming-a-cna-as-an-open-source-org-or-project.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,221 @@
# Becoming a CNA as an Open Source Organization or Project

> **NOTE:**
> This document was drafted using the following document revisions:
>
> * CVE Numbering Authority (CNA) Rules, Version 3.0
> * CVE Record Dispute Policy, Version 1.0
> * CVE Program Policy and Procedure for End of Life Products, Version 1.2
> * CVE Program Policy and Procedure for Inactive CNAs, Version 1.2
## Audience and Overview

[CVE Numbering Authorities](https://www.cve.org/PartnerInformation/ListofPartners) (CNAs) are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. You can learn more about CNAs from [the CVE website](https://www.cve.org/PartnerInformation/Partner). There are videos available covering the [CVE Program overview](https://youtu.be/rrNYEUNsXOY) and the [general process to become a CNA](https://youtu.be/13b5cuZR7CQ).

This guide was written for Open Source organizations and projects that are interested in becoming a CNA and managing their own CVEs. This is not a guide for becoming a [Root](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3_roots) which has additional requirements.

This document will help cover the following topics:

* Benefits of becoming a CNA as an Open Source project
* Does your organization or project meet the requirements to become a CNA?
* What is the process for becoming a CNA?

A future document will cover other topics about CNA operations.

## Why become a CNA?

CVEs are a common way to record and share details about vulnerabilities in software projects. Because of their near-ubiquity, CVEs are often the method that downstream consumers will use to know when software they're using is vulnerable and requires remediation. This is especially evident with their use of security scanners and tools that report findings discovered in software and systems using the CVE identifiers.

CVE Numbering Authorities (CNAs) are the entities that can allocate CVE IDs and create corresponding CVE Records within a particular scope (a product, a project or group of affiliated projects, and the like). Becoming a CNA means that your organization will have a defined scope and will be able to create CVE IDs and Records for that defined scope autonomously.

Below are some of the benefits of becoming a CNA:

* **Provide high-quality authoritative CVE Records for your users.** CVE Records created by third-parties can be incomplete or inaccurate.
* **CVEs can't be issued for projects in a CNA's scope without first reporting to the CNA.** This means that reporters _must_ initially engage with your CNA, thus reducing confusion and allowing subject-matter experts on the project and security policy to weigh in on whether to create a CVE for a given disclosure.
* **Assign CVE IDs without needing to share embargoed information with other organizations.** This allows the project to determine for themselves who, if anyone, needs or gets pre-disclosure information.

## Important considerations

In addition to the requirements detailed below the following should be considered before becoming a CNA:

* **You don't need to become a CNA to get CVEs issued for your project**. Multiple CNAs already cover OSS projects
like Red Hat and GitHub. Becoming a new CNA should only be considered if the existing CNAs don't meet
the needs of the project.
* **Becoming a CNA adds a new commitment.** You must have the time and knowledge necessary to implement CNA processes.
Being a CNA is an ongoing commitment so your project should have multiple people able to manage the CNA and plans for continuity.
* **Issuing CVEs is the most important role of a CNA.** If you don't plan on issuing CVEs then becoming a CNA is not necessary.

## Requirements to become a CNA

Before becoming a CNA you can look at the below set of requirements to make sure joining the CNA Program is feasible for your project or organization. **Remember that you can always leave and rejoin the CNA Program at a later date if circumstances change.**

### Points of contact (POCs)

Preferably 2 or more and ordered primary, secondary, etc. For each point of contact you’ll need the following information which is **not publishing publicly** and is only used internally by the CNA Program:

* Name
* Email address (Can’t be a group email address)
* Phone number (**Required for primary POC only**, and only used for rare emergencies like [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) in scoped products)

### Time and reporting obligations

* **During CNA onboarding:**
* List of 3 available dates and times for a 1-hour call with CNA Program with all Points of Contact to answer questions and exercises. These three dates must be at least 3 weeks in the future.
* Complete practice exercises after the initial onboarding call and submit your exercises to the CNA Program for approval.

* **Throughout CNA operations:**
* **No time requirements on timeline for [non-public aspects of coordinated vulnerability disclosure](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_d_disclosure_and_embargo_policies) (ie reporting, acknowledging, disclosures, etc).**
* CVE dispute requests have timeliness requirements:
* 3 days to acknowledge the dispute.
* 5 days after acknowledgement to make a decision or extend and inform the requester.
* 15 days after optional extension to make a final decision or escalate up to your Root, resulting in a new dispute cycle.
* Get approval from Root with changes to CNA record data like POCs, scope, vulnerability disclosure policy and location, etc.
* CNA inactivity policy: 6 months of no CVE IDs allocated will cause a few heartbeat emails sent to POCs. After three attempts to contact your organization will be removed from the CNA Program (and you can reapply to join again).
* Yearly review of CNA Rules and checking CNA mailing list (sent to POC email addresses).
* Recommended yearly rotation of CVE Services credentials.

### Organization information

* Full name of organization (“Python Software Foundation”)
* Short name (ie “PSF”) used in CNA partner list and for authentication with CVE Services.
* Industry using [Global Industry Classification Standard](https://en.wikipedia.org/wiki/Global_Industry_Classification_Standard) (GICS). Likely to be “451030” corresponding with “Software” for Open Source projects.
* Country of Origin.
* CNA Role & Type. Likely to be “Open Source” and “Vendor” for Open Source projects.

### CNA and CVE information

It’s acceptable to not have these fields complete at time of submission, they are finalized after the initial meeting and before announcing your organization as a CNA.

* Root (recommended RedHat for Open Source projects)
* Public contact information (ie email address, web form)
* Scope statement
* Vulnerability disclosure policy URL
* Advisory location URL

Optionally have the answers to this information:

* Are there any in-flight CVE ID requests for your organization? (Let CVE know if there are, these can potentially be reassigned to your new CNA)
* Approximate number of CVE IDs needed in a year (you can always request more)

## Process to become a CNA

### Contact Red Hat to become a CNA under their Root

[Red Hat is the recommended Root for Open Source projects](https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat). You can contact them to start the conversation at `[email protected]`.
If you don't want Red Hat to be your Root you can contact any other Root (search "Root" in the [list of CNAs](https://www.cve.org/PartnerInformation/ListofPartners)).

You can always ask your prospective Root questions about the process of becoming and operating a CNA, they will be an excellent resource to you.

### Submitting the Onboarding Form

> **NOTE:**
> Every CNA application process is a little bit different due to variables like which Root or Top-Level Root is selected and the individual CNA applying.
> The numbers below are very rough estimates of the amount of time a successful application will take.
The first step towards becoming a CNA is to request more information about the CNA Program from the [CVE Request Form](https://cveform.mitre.org/). Select “Request Information on the CVE Numbering Program (CNA)” and fill out all the required fields, hit submit, and then wait for a reply with another form from the CNA Program operators. If you’re even somewhat interested in being a CNA, you should do this (there’s no cost or downside!)

When you’ve received the second form, this is where you’ll be filling in information about Points of Contact, Organization, etc about your prospective CNA, and the Root for your organization.
Red Hat is the preferred Root for Open Source organizations. However, you can choose any other Root that aligns better to your CNA scope.
In case you are not able to make that decision now, don’t worry. You can choose MITRE TL-Root in the registration form.
Like is mentioned in the Requirements section, **many of these fields don’t need to be finalized before submitting the form**. Focus on filling in everything that you can and then picking the dates for your initial meeting with the CNA Program. You’ll have some time to discuss with the CNA Program folks and update your response before your initial meeting.

The minimum amount of time between first contacting the CNA Program and being announced as a CNA is 4 weeks, and it will take at least 3 weeks before your first video call with the CNA Program.
During this period between first contact and your first call, this is the time when you can work on the following:

* Solidifying your scope, vulnerability disclosure policy, and vulnerability disclosure publishing location. You can look at the [existing list of CNA Partners](https://www.cve.org/PartnerInformation/ListofPartners) for examples.
* Learn about CNA Rules and processes from the published documentation and videos.
* Experiment with CVE Record format in [Vulnogram](https://vulnogram.github.io/).

Prior to attending the onboarding call I recommend reviewing the below resources.

### CNA Onboarding Videos

Watch all the informational videos from the [CNA onboarding documentation](https://www.cve.org/ResourcesSupport/Resources#cnaOnboarding). Approximately an hour of content about the program, becoming a CNA, assigning CVE IDs, and creating CVE records. Slides are available on the website.

* [CVE Program Overview](https://youtu.be/rrNYEUNsXOY) (5 minutes)
* [Becoming a CNA](https://youtu.be/13b5cuZR7CQ) (15 minutes)
* [Assigning CVE IDs](https://youtu.be/JQYq-mxLo-U) (26 minutes)
* [CVE Record Creation](https://youtu.be/se-yM_LureQ) (7 minutes)

### CVE Services

CNAs use [CVE Services](https://www.cve.org/AllResources/CveServices) to manage CVE IDs and records. CVE Services is essentially a set of APIs around the CVE database to manage a CNAs' block of CVE IDs and records.

Watch the following videos:

* [Getting a CVE Services Account](https://www.youtube.com/watch?v=KSNvidMTKNA) (10 minutes)
* [CVE Record Workflow](https://www.youtube.com/watch?v=k6eRdnzgk9E) (6 minutes)
* [Demo on Vulnogram, an open source CVE Services client UI](https://www.youtube.com/watch?v=o3V-fmQpC0o) (10 minutes)

There are optional videos available with a historical overview of CVE Services and deep-dive into CVE Record JSON 5 format. You don't have to watch these, but if you're interested they are there:

* [Introduction to CVE Services](https://www.youtube.com/watch?v=K2OoRpDhzss) (37 minutes)
* [CVE JSON 5 Format](https://www.youtube.com/watch?v=YWZECqzRI7M) (45 minutes)


### CNA Rules

There is a [list of rules for all CNAs](https://www.cve.org/ResourcesSupport/AllResources/CNARules) published by CVE. Many of these rules apply to CNAs which aren't sub-CNAs like the PSF. The rules that do apply to Sub-CNAs are documented in these sections, read each of these:

* [Terminology / Definitions](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_a_definitions)
* [Rules for Sub-CNAs](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_2_sub_cnas)
* [CVE Assignment Rules](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_7_assignment_rules)
* [CVE Record Requirements](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_8_cve_record_requirements)
* [Defining CNA Scope](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_10_defining_cna_scope)
* [Process to Correct Assignment Issues or Update CVE Records](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_c_process_to_correct_assignment_issues_update_cve_records)
* [Disclosure and Embargo Policies](https://www.cve.org/ResourcesSupport/AllResources/CNARules#appendix_d_disclosure_and_embargo_policies)

Pay close attention to **CVE Assignment Rules** and **CVE Record Requirements** as they will be the subject of the exercises for the onboarding call with the CNA Program.

## Community Support

[CVE has multiple working groups](https://www.cve.org/ProgramOrganization/WorkingGroups), some of which are only available to join after being accepted into the CNA Program. The CNA Coordination Working Group provides mentorship and fosters better communication and participation from CNAs.

Upon being accepted into the CNA Program there is also a CNA-only Slack channel hosted by CVE which can be used for asking questions and checking with other CNAs on how they’d handle certain situations.

## Q&A

**Q: Do I need to be an organization / company to become a CNA?**

A: No. Individual people could theoretically be a CNA, most of what matters is that you follow the rules of the program consistently and you’re able to meet the time requirements for CVE disputes.

**Q: Does everyone who’s handling CNA operations need to be a part of the same organization / company that the CNA represents?**

A: No. You can create CVE Services accounts for people outside your organization, including volunteers. What matters is that they know and follow CNA Rules when operating the CNA and that credentials are handled securely.

**Q: Should I scope end-of-life products / releases?**

A: End-of-life products / releases can still have CVEs assigned, whether you have them scoped or not is up to you and only changes whether MITRE (CNA-LR) or your CNA is issuing the CVEs. Advice is to start with end-of-life products / releases scoped and drop them from scope if the workload is too much.

**Q: Do I have to provide a CVSS score?**

A: No, that field is optional. NVD (National Vulnerability Database) tries to provide a CVSS score on every CVE.

**Q: Can all my CVE ID blocks be managed through CVE Services rather than through another service?**

A: Yes, and this is the recommended way. However, CVE Services cannot be used as a database for unpublished or incomplete records, submitting a CVE Record to CVE Services immediately moves it to the published state. Coordination on CVE Records thus cannot happen via CVE Services alone.

**Q: By becoming a CNA can I update CVEs that were issued against our newly scoped projects?**

A: No, you need to use the CVE Record update / dispute process with the assigner of each pre-existing CVE.

**Q: What does “web-scraping” advisory location mean? (From an onboarding form)**

A: This is a location where all CVE IDs appear in text such that they can be scraped by a web scraping process. This web scraping process is sometimes used by CVE to ensure that CVE IDs that get published as advisories are made publicly available in a timely manner. For monitored locations, CVE will give you a reminder if you publish an advisory and don’t publish the corresponding CVE Record in a few days. Publishing a CVE ID (like in an advisory) without publishing the corresponding CVE Record is called “[Reserved but public (RBP)](https://www.cve.org/ResourcesSupport/Glossary#glossaryRBP)” and is not permitted by the CNA Rules.

**Q: Is CNA status permanent? What are the ways CNA status can be revoked?**

A: CNA status is not permanent, it can be relinquished voluntarily any time by writing to the CNA’s Root. CNA status can be revoked if …

* CNA doesn’t meet the timelines specified in the CVE Record dispute process.
* CNA doesn’t respond to heartbeat emails after a period of inactivity.
* CNA violates CNA Rules and the CNA’s Root decides to revoke CNA status as a remediation.

## Known differences/errata for CNA Rules

There are a few known differences between the onboarding and requirements from CVE and what's documented in the CNA Rules. Those are captured below:

* CNA must provide a phone number for the primary POC.
* CNA either should or must publish CVE Records within 24 hours of publication of a CVE ID.
* CNA timeliness requirements for CVE Disputes are not documented in the CNA Rules.
* Who does CVE share phone numbers with? CISA (due to KEV mention)?

0 comments on commit 55ac215

Please sign in to comment.