Secretariat should have complete editorial control

[zmanion]

We very carefully and intentionally balance the CNA value proposition. Particularly for "vendor" CNAs, the CNA has significant influence (editorial control) over CVE Record content. This sometimes involves languages about "ownership." In return, the Program benefits greatly from additional and distributed resources and efficient volunteer effort, since "vendor" CNAs are the least cost avoider (most likely to know the most about the vulnerabilities affecting their products).

With this in mind, as part of the current CNA Operational Rules revision, consider adding rules that make it clear that the Program owns all the content and the Secretariat retains complete editorial and content control.

Personal opinion, we're dabbling in a lot of complexity (more JSON, ADPs) when a simpler solution may be to let the Secretariat just make changes when needed.

(from CVEProject/strategic-planning-working-group#5)

[zmanion]

Who holds the copyright to CVE Records? MITRE? DHS? Is "The CVE Program" a legal-enough entity to hold rights?

https://www.cve.org/Legal/TermsOfUse

Sample CNA rules language.

The CVE Program retains complete editorial and content control over CVE Records.

The Secretariat MAY make changes to any CVE Records without first consulting the assigning CNA.

The Secretariat MUST notify the CNA of any changes and SHOULD provide rationale for the changes.

In most cases, the Secretariat SHOULD contact the assigning CNA to discuss or request changes to CVE Records.

[zmanion]

Who holds the copyright to CVE Records? MITRE? DHS? Is "The CVE Program" a legal-enough entity to hold rights?

Per Kent, MITRE does.