Process and governance knowledge¶

CNA work is binding into an international trust system: the CVE programme. Accuracy, compliance, and disciplined process are non-negotiable. What to do and how to do it.

CVE programme rules¶

Assign CVE IDs:

1. Confirm the vulnerability falls within the CNA scope.

2. Check that it meets CVE inclusion criteria (publicly visible, distinct, and not already catalogued).

3. Allocate a CVE ID following CVE numbering rules.

Publish CVE records:

1. Draft a complete CVE record including description, references, and any mitigation information.

2. Submit through the CVE CNA portal according to programme timelines.

Maintain consistency and compliance:

• Always follow the CNA rules to ensure each CVE is handled the same way.

• Double-check assignments for duplicates or misclassification.

Reference: CVE CNA Rules

Responsible disclosure norms¶

EU NIS2 Directive obligations:

• Track regulatory requirements for operators and vendors.

• Report security incidents according to mandatory timelines.

ENISA Coordinated Vulnerability Disclosure:

• Disclose vulnerabilities to vendors first.

• Avoid posting exploit details publicly before fixes are available.

Standards:

• Use ISO/IEC 29147 for vulnerability disclosure workflows.

• Use ISO/IEC 30111 for vulnerability handling and triage procedures.

Internal CNA procedures¶

Follow templates and workflows:

• Track reports and PoCs in the internal system (GitLab, GitHub).

• Use structured fields for vulnerability details, impact assessment, and mitigation steps.

Coordinate internally:

• Assign tasks to colleagues when validation or cross-checking is needed.

• Keep a consistent naming and numbering scheme across all records.

Refine and audit processes:

• Review past CVEs to spot gaps or inconsistencies.

• Update templates and workflows to improve speed, accuracy, and resilience.