Recordkeeping and compliance¶

Accurate records are the backbone of CNA work. They support reproducibility, regulatory compliance, and organisational resilience. Every CVE assigned, every report validated, and every communication tracked contributes to a reliable record.

CVE tracking¶

Log every assignment:

• Record CVE ID, scope, affected components, severity, and status.

• Ensure entries match CVE programme rules and templates.

Monitor progress:

• Track each vulnerability from report submission through validation, mitigation, and publication.

• Note any delays, escalations, or exceptions.

Reference: CVE CNA Rules

Internal documentation¶

Standardised templates:

• Include fields for report metadata, PoC references, validation steps, and mitigation recommendations.

• Ensure consistency across all reports for clarity and auditability.

Cross-referencing:

• Link internal tickets, communications, and lab notes to CVE records.

• Maintain a clear trail from initial report to closure.

Reference: ISO/IEC 29147 – Vulnerability disclosure

Reference: ISO/IEC 30111 – Vulnerability handling

Audit and process review¶

Periodic reviews:

• Regularly check records for completeness, accuracy, and adherence to CNA rules.

• Identify gaps or inconsistencies and correct them promptly.

Continuous improvement:

• Update templates, checklists, and workflows based on lessons learned.

• Ensure that process refinements are documented and communicated internally.