Skip to content

Commit

Permalink
Merge pull request #3235 from CVEProject/content-rjr-3232
Browse files Browse the repository at this point in the history 
#3232 Process page updates
  • Loading branch information
@jdaigneau5
jdaigneau5 authored Oct 29, 2024
2 parents 9f3c19a + 9da5c74 commit f517bc1
Showing 1 changed file with 52 additions and 25 deletions.
77 changes: 52 additions & 25 deletions src/views/About/Process.vue
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
<div class="content">
<h1 class="title">Process</h1>
<p>
There is one <router-link to='/ResourcesSupport/Glossary?activeTerm=glossaryRecord'>CVE Record</router-link> for each vulnerability on
the <router-link to='/ResourcesSupport/Glossary?activeTerm=glossaryCVEList'>CVE List</router-link>. Vulnerabilities are first
discovered, then reported to the CVE Program. The reporter requests a
There is one
<router-link to='/ResourcesSupport/Glossary?activeTerm=glossaryRecord'>CVE Record</router-link>
for each vulnerability on the
<router-link to='/ResourcesSupport/Glossary?activeTerm=glossaryCVEList'>CVE List</router-link>.
Vulnerabilities are first discovered, then reported to the CVE Program. The reporter requests a
<router-link to='/ResourcesSupport/Glossary?activeTerm=glossaryCVEID'>CVE ID</router-link>,
which is then reserved for the reported vulnerability. Once the reported vulnerability is
confirmed by the identification of the minimum required data elements for a CVE Record, the record is published to the CVE List.
which is then reserved for the reported vulnerability. Once the reported vulnerability is confirmed by the
identification of the minimum required data elements for a CVE Record, the record is published to the CVE List.
CVE Records are published by CVE Program partners from around the world. This process is described below.
</p>
<h2 :id="cvenavs['About']['submenu']['Process']['items']['CVE Record Lifecycle']['anchorId']" class="title">
Expand All @@ -38,16 +40,17 @@
<div class="timeline-marker is-3">2</div>
<div class="timeline-content">
<h3 class="title">Report</h3>
<p>Discoverer reports a vulnerability to a
<router-link to='/PartnerInformation/ListofPartners'>CVE Program participant</router-link>.
<p>
Discoverer reports a vulnerability to a
<router-link to='/PartnerInformation/ListofPartners'>CVE Program partner</router-link>.
</p>
</div>
</div>
<div class="timeline-item">
<div class="timeline-marker">3</div>
<div class="timeline-content">
<h3 class="title">Request</h3>
<p>CVE Program participant requests a CVE Identifier (CVE ID).</p>
<p>CVE Program partner assigns a CVE Identifier (CVE ID).</p>
<section class="cve-accordion">
<div class="message">
<div class="message-header">
Expand Down Expand Up @@ -77,16 +80,28 @@
portion is not used to indicate when the vulnerability was discovered.
</p>
<p>
The “Arbitrary Digits,” or sequence number portion, can include four or more digits in the sequence number portion of the
ID. For example, <span class="has-text-weight-bold">CVE-YYYY-NNNN</span> with four digits in the sequence number,
The “Arbitrary Digits,” or sequence number portion, can include four or more digits in the sequence number portion of
the ID. For example, <span class="has-text-weight-bold">CVE-YYYY-NNNN</span> with four digits in the sequence number,
<span class="has-text-weight-bold">CVE-YYYY-NNNNNNN</span> with seven digits in the sequence
number, etc. There is no limit on the number of arbitrary digits.
</p>
<p>The CVE Program’s CNA Rules include additional helpful information about CVE IDs:</p>
<p>
<router-link to='/ResourcesSupport/AllResources/CNARules#section_7_assignment_rules'>Assignment Rules</router-link>
- how CVE IDs are assigned.
The CVE Program’s
<router-link to='/ResourcesSupport/AllResources/CNARules'>CNA Rules</router-link>
include additional helpful information about CVE IDs:
</p>
<ul>
<li>
<router-link to='/ResourcesSupport/AllResources/CNARules#section_4-1_Vulnerability_Determination'>
Vulnerability Determination
</router-link>
</li>
<li>
<router-link to='/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment'>
CVE ID Assignment
</router-link>
</li>
</ul>
</div>
</div>
</div>
Expand All @@ -99,16 +114,16 @@
<h3 class="title">Reserve</h3>
<p>The ID is reserved, which is the initial state of a CVE Record.</p>
<p>
The Reserved state means that CVE stakeholder(s) are using the CVE ID for early-stage vulnerability coordination and management,
but the CNA is not yet ready to publicly disclose the vulnerability.
The Reserved state means that CVE stakeholder(s) are using the CVE ID for early-stage vulnerability coordination and
management, but the CNA is not yet ready to publicly disclose the vulnerability.
</p>
</div>
</div>
<div class="timeline-item">
<div class="timeline-marker">5</div>
<div class="timeline-content">
<h3 class="title">Submit</h3>
<p>CVE Program participant submits the details.</p>
<p>CVE Program partner submits the details.</p>
<p>
Details include but are not limited to affected product(s); affected or fixed product versions; vulnerability type, root
cause, or impact; and at least one public reference.
Expand Down Expand Up @@ -143,17 +158,23 @@
<div class="message-body" :class="{'is-hidden': accordion['cve-record']}" id="cve-record">
<div class="block">
<p>
A CVE Record is the descriptive data about a vulnerability associated with a CVE ID, provided by a CVE Numbering
Authority (<router-link to='/ResourcesSupport/Glossary?activeTerm=glossaryCNA'>CNA</router-link>). This data is provided
in multiple human and machine-readable formats.
A CVE Record is the descriptive data about a vulnerability associated with a CVE ID, provided by a
<router-link to='/ResourcesSupport/Glossary?activeTerm=glossaryCNA'>
CVE Numbering Authority (CNA)
</router-link>
partner. This data is provided in a human and machine-readable
<router-link to='/AllResources/CveServices#CveRecordFormat'>
format
</router-link>.
</p>
<p>Each CVE Record includes the following:</p>
<p>Each CVE Record includes, at a minimum, the following:</p>
<ol>
<li>
CVE ID with four or more digits in the sequence number portion of the ID (i.e., “CVE-1999-0067”, “CVE-2019-12345”,
“CVE-2021-7654321”).
</li>
<li>Brief description of the security vulnerability.</li>
<li>Affected products and versions.</li>
<li>Any pertinent references (i.e., vulnerability reports and advisories).</li>
</ol>
<p>A CVE Record is associated with one of the following states:</p>
Expand All @@ -172,15 +193,21 @@
so that users know that the CVE ID and CVE Record are invalid.
</li>
</ul>
<p>The CVE Program’s CNA Rules include additional helpful information about CVE Records: </p>
<p>
The CVE Program’s
<router-link to='/ResourcesSupport/AllResources/CNARules'>CNA Rules</router-link>
include additional helpful information about CVE Records:
</p>
<ul>
<li>
<router-link to='/ResourcesSupport/AllResources/CNARules#section_8-1_cve_record_information_requirements'>CVE Record
Information Requirements</router-link> – the full requirements for a CVE Record.
<router-link to='/ResourcesSupport/AllResources/CNARules#section_5_CVE_Record_Content'>
CVE Record Content
</router-link>
</li>
<li>
<router-link to='/ResourcesSupport/AllResources/CNARules#section_7_assignment_rules'>Assignment Rules</router-link>
– the data elements required within a CVE Record.
<router-link to='/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment'>
CVE ID Assignment
</router-link>
</li>
</ul>
</div>
Expand Down

0 comments on commit f517bc1

Please sign in to comment.