Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EOL Policy: remove Temporary EOL Rules Inconsistency #10

Open
eoinwm opened this issue Oct 24, 2023 · 0 comments
Open

EOL Policy: remove Temporary EOL Rules Inconsistency #10

eoinwm opened this issue Oct 24, 2023 · 0 comments
Labels
CNA rules EOL rules

Comments

@eoinwm
Copy link
Collaborator

eoinwm commented Oct 24, 2023

The 'Temporary Rules Inconsistency' (Section 3 of EOL Vulnerability Assignment Process) has been addressed in the new CNA Operational Rules. Section 3.1.11 "Scope Definitions for EOL Products" now reflects the suggested wording from the EOL Vulnerability Assignment Process:

  • "A CNA MAY specify in its Scope Definition whether or not the CNA assigns CVE IDs for EOL Products.

  • If a CNA Scope Definition 1) specifies that the CNA does assign for EOL Products or 2) does not specify whether or not the CNA assigns for EOL Products, then vulnerabilities that may affect EOL products MUST be reported through the CNA’s vulnerability reporting and disclosure processes.

  • If a CNA Scope Definition 3) specifies that the CNA does not assign for EOL Products, then CVE assignment requests MUST be handled by an appropriate CNA-LR as described in the End-of-Life Vulnerability Assignment Process.

As the rules inconsistency is addressed in the new CNA Operational Rules, it should be removed from the EOL Vulnerability Assignment Process when new rules are published.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CNA rules EOL rules
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@eoinwm