From c29d3996caef10b3d5b788c3c9a97c651d783f23 Mon Sep 17 00:00:00 2001 From: eoinwm <114438429+eoinwm@users.noreply.github.com> Date: Wed, 4 Jun 2025 13:13:05 -0500 Subject: [PATCH 1/6] NEW CVE_Dispute_Policy.md Updated to CVE Dispute Policy v2.0.0: https://docs.google.com/document/d/12Rj9mR8D_ueFrUqGdWnFvu5K_Z9vgzTY9tlh2WskjAs/edit?tab=t.0 --- CVE_Dispute_Policy.md | 126 +++++++++++++++++++++++++++++++++--------- 1 file changed, 99 insertions(+), 27 deletions(-) diff --git a/CVE_Dispute_Policy.md b/CVE_Dispute_Policy.md index 6ac5295..a297bec 100644 --- a/CVE_Dispute_Policy.md +++ b/CVE_Dispute_Policy.md @@ -1,55 +1,127 @@ | Status | Final | | ---: | --- | -| Version | 1.0 | -| Adopted | 2022-09-22 | -| Effective | 2022-09-22 | +| Version | 2.0.0 | +| Adopted | 2025-mm-dd | +| Effective | 2025-mm-dd | # CVE Program Policy and Procedure for Disputing a CVE Record -This policy and procedure is enforced by [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot), [Top-Level Roots (TLR)](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryTLRoot), and the Council of Roots (CoR). +## Introduction -## Definitions +This policy and procedure for disputing CVE Records is enforced by [Top-Level Roots (TL-Root)](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot) and [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot). -* **Disputes:** Disagreements with the accuracy or completeness of a [CVE Record](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRecord), or the validity of a vulnerability upon which a CVE Record is based. +## Terms and Definitions -* **Escalation:** The process by which disputes are evaluated and resolved. +Specific terms are defined in the [CVE Program Glossary](https://www.cve.org/ResourcesSupport/Glossary) and are capitalized when used in this document. The following fully-capitalized key words explain the requirement levels used in this document: -## Policy +- MUST: Mandatory +- MUST NOT: Prohibited +- SHOULD: Recommended +- SHOULD NOT: Not recommended +- MAY: Discretionary -It is the policy of the [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) that all disputes be initiated and escalated through the appropriate Root hierarchy, starting with the CVE Numbering Authority (CNA) within the hierarchy that owns the scope for which the record applies. Should any party in a dispute not accept the decision of the Root or TLR within a hierarchy, the CoR may decide to get involved and make the decision. All CoR decisions are final. +## CVE Record Dispute Policy and Procedure -CVE Records may be disputed for a variety of reasons by various stakeholders participating in the CVE Program. Examples include: +The [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) requires all disputes to be initiated and escalated through the appropriate (TL-) Root hierarchy, beginning with the CVE Numbering Authority ([CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryCNA)) responsible for the affected scope. If the dispute involves a vulnerability determination outside any CNA’s scope, the process may start with a CNA of Last Resort ([CNA-LR](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR)). -* **Record accuracy:** A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a [CNA of Last Resort (CNA-LR)](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR) may publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the developer of the technology (i.e., a vendor or maintainer), may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and vendor or maintainer assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the technology vendor or maintainer. Third parties may also dispute a CVE Record if they can put forth a valid point of view. +If a disputing party disagrees with the initial decision of a CNA or CNA-LR, they may escalate the matter to the next level in the hierarchy—either a Root or TL-Root—for further review. TL-Roots’ decisions are final, except in cases involving cross-hierarchy scope issues. -* **Incomplete information:** A Published CVE Record may lack sufficient information for the vulnerability to be re-created by a CVE Program stakeholder. In this case, the technology vendor, maintainer, or third party may dispute the CVE Record. +Disputes spanning multiple hierarchies will be adjudicated by the [Council of Roots](https://www.cve.org/ResourcesSupport/Glossary#glossaryCoR). Final determinations may uphold the Root or TL-Root decision, concluding the discussion. -* **Disputed upon CVE Record creation:** While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates that a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA-LR may assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a DISPUTED tag. +The Dispute Resolution Process details can be found below. In cases involving significant cross-scope aspects, relevant parties should meet to identify the root cause and determine the most appropriate scope, following guidance from the [CVE Program Rules](https://www.cve.org/resourcessupport/allresources/cnarules). -CNAs, Roots, and TLRs must have a publicly facing way for CVE Program stakeholders to initiate dispute and escalation processes. They must also include a URL to this policy or include this policy on their public-facing website so that CVE Program stakeholders understand that disputes can be made, and that a process exists for both initiating and escalating a dispute. +CVE Records may be disputed for a variety of reasons by various stakeholders participating in the CVE Program. Examples include disputes both before and after the creation of a CVE Record: -CNAs, Roots, and TLRs may coordinate the dispute and escalation process, consistent with this policy, by whatever means work best for them. Dispute and escalation processes must be timely, effective, and based on the application of CVE Program rules. Each party in a dispute must document their rationale regarding a dispute. Such documentation must be in a common text format such as a text entry box in a web form, or a Markdown document. This is necessary to effectively orchestrate the dispute escalation procedure described below. The final arbiter of a dispute is the CoR, should the CoR decide to consider the dispute. CoR decisions are final and may not be appealed. This includes determining that the TLR decision is appropriate, and no further discussion is required. +1. During Vulnerability Determination -It is expected that very few disputes will require adjudication by the CoR. The CoR will determine what cases require its intervention. However, the CoR may not intervene until the escalation process is complete within a TLR hierarchy. Should the CoR decide not to intervene, the decision of the TLR will be final, with no recourse for appeal. Cases where the CoR chooses to intervene typically represent a set of uncommon circumstances. In these cases, the [CVE Board](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryBoard) must be informed so the circumstances driving the dispute can be considered in terms of potential enhancements to this policy or other program policies and rules. + a. CVE Record Validity: One party contends that a CVE Record should be created, and another party (e.g., a Supplier CNA or CNA-LR) contends that it should not because it is not a valid vulnerability. -If the technology vendor or maintainer is a CNA, a CNA-LR must not assign a CVE ID and publish a CVE Record without first conferring with that CNA, to minimize cascades of disputes and maximize record quality. + b. Publish as Disputed: While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA or CNA-LR may decide to assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a disputed tag. -## Procedure +2. After CVE Record Creation -![CVE Dispute Process Flowchart](assets/dispute_flowchart.png) + a. CVE Record Validity: A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a CNA-LR may publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the Supplier may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and Supplier assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the Supplier. Third parties may also dispute a CVE Record if they can put forth a valid point of view. -1. The party initiating the dispute must document their rationale for the dispute and submit the rationale to the CNA. The disputing party should provide evidence and rationale as a basis for the dispute (e.g., issue trackers, application security policy, findings). + b. CNA Operational Rules Violations: One party contends that the Assignment(s) and Publication(s) of CVE Record(s) are in violation of the CVE Program rules. This covers use cases such as scoping. -2. The CNA will acknowledge receipt of the dispute, in writing, within three business days. + c. Assignment Disagreement: One party contends that a CVE Record(s) should be curated in a manner contrary to the assigning party (e.g., situations where the Assigner and a Researcher disagree on how many CVEs should be assigned to a particular issue). -3. The CNA will review the rationale and engage the appropriate stakeholders, as necessary, to develop an understanding of the basis for the dispute. +## Process Overview -4. The CNA will apply the CNA Operational Rules against the dispute rationale and will decide within five business days regarding the validity of the dispute. The five-day period will begin after the 72-hour receipt and acknowledgment period ends. Should the fiveday period be an inadequate span of time, the CNA will inform the parties in the dispute that more time is needed. Should any extension of time exceed 15 business days, the dispute may be escalated to the Root. In this case, the Root will confer with the CNA to determine an appropriate time frame. +CNAs, Roots, and TL-Roots MAY serve as CVE Record dispute Adjudicators when necessary. To ensure transparency, each Adjudicator MUST provide a public-facing method for CVE Program stakeholders to initiate and escalate disputes[^1]. Additionally, Adjudicators MUST either host this policy on their public website or provide a direct URL to it, ensuring stakeholders are aware of the dispute resolution process. - a) *Valid dispute:* The CNA will notify the parties of concern in writing of the decision and will modify the CVE Record. Should this be the outcome, provided the disputing party agrees with the modification, no escalation is required. The disputing party may escalate the issue should they disagree with the record modification. +[^1]: CNA Operational Rule [3.2.3.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3-2_CNA_Administration) states that “CNAs MUST provide public POC information that is published in the [List of Partners](https://www.cve.org/PartnerInformation/ListofPartners). The public POC is used for requests related to CVE ID assignment, CVE Record content, and other CVE-related issues.” - b) *Invalid dispute:* The CNA will notify the disputing party of the decision in writing, indicating that no record modification will be made. The disputing party may escalate the issue in this case. +CNAs, Roots, and TL-Roots have the flexibility to manage disputes and escalations using methods that best suit their operations, as long as they remain consistent with this policy. TL-Roots, however, hold a unique responsibility to coordinate among themselves when handling disputes involving cross-hierarchy implications. -Should the escalation process be initiated, the Root, TLR, and CoR will follow the same procedure. Regardless of the outcome of a dispute, the Root, TLR, or CoR, will inform the parties in a dispute of the dispute escalation process. This can be done by pointing to this policy. +Dispute and escalation processes must be timely, effective, and aligned with CVE Program rules. Each party involved in a dispute must document their rationale, ensuring a structured and transparent escalation process as outlined below. -In cases where the dispute is valid, but the CNA will not modify the CVE Record, the appropriate CNA-LR will tag the CVE Record with the DISPUTED tag and will provide the rationale for the validity of the dispute. This step will be taken after the dispute escalation process has run its course. +If the Supplier is a CNA, a CNA-LR must not assign a CVE ID or publish a CVE Record without first consulting that CNA. This ensures the CNA has the first right of refusal (see CNA Operational Rule [4.2.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment)) and helps prevent dispute cascades while maintaining record quality. + + + +## Dispute Resolution Process + +1. Initiating a Dispute + + a. The disputing party must document and submit their rationale to the Adjudicator, providing supporting evidence such as issue trackers, security policies, or engineering findings. + +2. Acknowledgment of Receipt + + a. The Adjudicator will acknowledge receipt and initiation of the dispute in writing within three business days. + +3. Tagging the CVE Record + + a. If the dispute appears potentially legitimate, the CVE Record should be tagged as disputed while the process is ongoing. + + b. If the dispute is later deemed invalid or resolved, the disputed tag may be removed. + +4. Review and Stakeholder Engagement + + a. The Adjudicator will review the rationale and engage relevant stakeholders as necessary to fully understand the dispute. + +5. Adjudication and Decision Timeline + + a. The Adjudicator will apply CNA Operational Rules to assess the dispute and reach a decision within five business days after the three-day acknowledgment period. + + b. If additional time is required, the Adjudicator must notify all parties. + + c. If an extension exceeds 15 business days, the dispute may be escalated to the Root, who will coordinate with the Adjudicator to establish an appropriate resolution timeline. + +## Dispute Outcomes + +1. Valid Dispute + + a. The Adjudicator will notify all relevant parties in writing and modify (or initially publish) the CVE Record accordingly. + + b. If the disputing party agrees with the action, no escalation is required. + + c. If the disputing party disagrees, they may escalate the issue. + +2. Invalid Dispute + + a. The Adjudicator will notify the disputing party in writing that no changes will be made to the CVE Record. + + b. The disputing party retains the right to escalate the issue. + +3. Dispute Reconsideration + + a. Any party may provide additional correspondence to support their position if they believe the decision was incorrect. + + b. The Adjudicator MAY choose not to respond, taking no further action, effectively leaving the case closed. + + c. The Adjudicator MAY review and revise the decision. + + d. Considerations for reconsideration may include factors such as the severity of the vulnerability and whether the CNA’s publication practices align with industry expectations. + + e. If the dispute is escalated, the Root or TL-Root will follow the same procedure. + + f. Regardless of the outcome, the Root or TL-Root will inform all parties about the dispute escalation process by referencing this policy. + +4. Final Dispute Tagging + + In cases where the dispute is determined not valid by the final Adjudicator, the CVE Record must be updated to assure any “disputed” tag is removed in a timely manner. + +5. No Resolution Reached + + It should be noted that not all disputes require a resolution. There are cases where there will be ongoing disputes after a review. In that case, the CVE Record will continue to be marked as disputed. From 17730e91f098de29ba06f17ec8b48206d82afcfd Mon Sep 17 00:00:00 2001 From: Art Manion Date: Wed, 4 Jun 2025 14:37:51 -0400 Subject: [PATCH 2/6] change heading/version to draft/2.0.0-dev --- CVE_Dispute_Policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CVE_Dispute_Policy.md b/CVE_Dispute_Policy.md index a297bec..f45cfc8 100644 --- a/CVE_Dispute_Policy.md +++ b/CVE_Dispute_Policy.md @@ -1,6 +1,6 @@ -| Status | Final | +| Status | Draft | | ---: | --- | -| Version | 2.0.0 | +| Version | 2.0.0-dev | | Adopted | 2025-mm-dd | | Effective | 2025-mm-dd | From 9d50e1b57b73122202e05b17e4f01484175ae0fd Mon Sep 17 00:00:00 2001 From: eoinwm <114438429+eoinwm@users.noreply.github.com> Date: Tue, 29 Jul 2025 15:59:20 -0500 Subject: [PATCH 3/6] Update CVE_Dispute_Policy.md updating dispute policy with 2.0.0 changes --- CVE_Dispute_Policy.md | 76 +++++++++++++++++++++---------------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/CVE_Dispute_Policy.md b/CVE_Dispute_Policy.md index f45cfc8..dcdddbf 100644 --- a/CVE_Dispute_Policy.md +++ b/CVE_Dispute_Policy.md @@ -1,34 +1,34 @@ -| Status | Draft | +| Status | Approved | | ---: | --- | -| Version | 2.0.0-dev | -| Adopted | 2025-mm-dd | -| Effective | 2025-mm-dd | +| Version | 2.0.0 | +| Adopted | July 2, 2025 | +| Effective | July 2, 2025 | # CVE Program Policy and Procedure for Disputing a CVE Record ## Introduction -This policy and procedure for disputing CVE Records is enforced by [Top-Level Roots (TL-Root)](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot) and [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot). +This policy and procedure for disputing CVE Records is enforced by [Top-Level Roots (TL-Root)](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot) and [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot). This policy applies to all CVE Records that are disputed after July 2, 2025. ## Terms and Definitions Specific terms are defined in the [CVE Program Glossary](https://www.cve.org/ResourcesSupport/Glossary) and are capitalized when used in this document. The following fully-capitalized key words explain the requirement levels used in this document: -- MUST: Mandatory -- MUST NOT: Prohibited -- SHOULD: Recommended -- SHOULD NOT: Not recommended -- MAY: Discretionary +* MUST: Mandatory +* MUST NOT: Prohibited +* SHOULD: Recommended +* SHOULD NOT: Not recommended +* MAY: Discretionary ## CVE Record Dispute Policy and Procedure -The [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) requires all disputes to be initiated and escalated through the appropriate (TL-) Root hierarchy, beginning with the CVE Numbering Authority ([CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryCNA)) responsible for the affected scope. If the dispute involves a vulnerability determination outside any CNA’s scope, the process may start with a CNA of Last Resort ([CNA-LR](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR)). +The [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) requires all disputes to be initiated and escalated through the appropriate (TL-) Root hierarchy, beginning with the CVE Numbering Authority ([CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryCNA)) responsible for the affected scope. If the dispute involves a vulnerability determination outside any CNA’s scope, the process may start with a CNA of Last Resort ([CNA-LR](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR)). -If a disputing party disagrees with the initial decision of a CNA or CNA-LR, they may escalate the matter to the next level in the hierarchy—either a Root or TL-Root—for further review. TL-Roots’ decisions are final, except in cases involving cross-hierarchy scope issues. +If a disputing party disagrees with the initial decision of a CNA or CNA-LR, the disputing party MAY escalate the matter to the next level in the hierarchy—either a [Root](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot) or [TL-Root](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot)—for further review. TL-Roots’ decisions are final, except in cases involving cross-hierarchy scope issues. Disputes spanning multiple hierarchies will be adjudicated by the [Council of Roots](https://www.cve.org/ResourcesSupport/Glossary#glossaryCoR). Final determinations may uphold the Root or TL-Root decision, concluding the discussion. -The Dispute Resolution Process details can be found below. In cases involving significant cross-scope aspects, relevant parties should meet to identify the root cause and determine the most appropriate scope, following guidance from the [CVE Program Rules](https://www.cve.org/resourcessupport/allresources/cnarules). +The Dispute Resolution Process details can be found below. In cases involving significant cross-scope aspects, relevant parties SHOULD meet to identify the root cause and determine the most appropriate scope, following guidance from the [CVE Program Rules](https://www.cve.org/resourcessupport/allresources/cnarules). CVE Records may be disputed for a variety of reasons by various stakeholders participating in the CVE Program. Examples include disputes both before and after the creation of a CVE Record: @@ -36,11 +36,11 @@ CVE Records may be disputed for a variety of reasons by various stakeholders par a. CVE Record Validity: One party contends that a CVE Record should be created, and another party (e.g., a Supplier CNA or CNA-LR) contends that it should not because it is not a valid vulnerability. - b. Publish as Disputed: While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA or CNA-LR may decide to assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a disputed tag. + b. Publish as Disputed: While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA or CNA-LR MAY decide to assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a disputed tag. 2. After CVE Record Creation - a. CVE Record Validity: A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a CNA-LR may publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the Supplier may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and Supplier assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the Supplier. Third parties may also dispute a CVE Record if they can put forth a valid point of view. + a. CVE Record Validity: A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a CNA-LR MAY publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the Supplier may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and Supplier assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the Supplier. Third parties MAY also dispute a CVE Record. b. CNA Operational Rules Violations: One party contends that the Assignment(s) and Publication(s) of CVE Record(s) are in violation of the CVE Program rules. This covers use cases such as scoping. @@ -48,80 +48,80 @@ CVE Records may be disputed for a variety of reasons by various stakeholders par ## Process Overview -CNAs, Roots, and TL-Roots MAY serve as CVE Record dispute Adjudicators when necessary. To ensure transparency, each Adjudicator MUST provide a public-facing method for CVE Program stakeholders to initiate and escalate disputes[^1]. Additionally, Adjudicators MUST either host this policy on their public website or provide a direct URL to it, ensuring stakeholders are aware of the dispute resolution process. - -[^1]: CNA Operational Rule [3.2.3.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3-2_CNA_Administration) states that “CNAs MUST provide public POC information that is published in the [List of Partners](https://www.cve.org/PartnerInformation/ListofPartners). The public POC is used for requests related to CVE ID assignment, CVE Record content, and other CVE-related issues.” +CNAs, Roots, and TL-Roots MAY serve as CVE Record dispute Adjudicators when necessary. To ensure transparency, each Adjudicator MUST provide a public-facing method for CVE Program stakeholders to initiate and escalate disputes (see CNA Operational Rule [3.2.3.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3-2_CNA_Administration)). Additionally, Adjudicators MUST either host this policy on their public website or provide a direct URL to it, ensuring stakeholders are aware of the dispute resolution process. CNAs, Roots, and TL-Roots have the flexibility to manage disputes and escalations using methods that best suit their operations, as long as they remain consistent with this policy. TL-Roots, however, hold a unique responsibility to coordinate among themselves when handling disputes involving cross-hierarchy implications. -Dispute and escalation processes must be timely, effective, and aligned with CVE Program rules. Each party involved in a dispute must document their rationale, ensuring a structured and transparent escalation process as outlined below. - -If the Supplier is a CNA, a CNA-LR must not assign a CVE ID or publish a CVE Record without first consulting that CNA. This ensures the CNA has the first right of refusal (see CNA Operational Rule [4.2.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment)) and helps prevent dispute cascades while maintaining record quality. +Dispute and escalation processes must be timely, effective, and aligned with CVE Program rules. Each party involved in a dispute MUST document their rationale, ensuring a structured and transparent escalation process as outlined below. +If the Supplier is a CNA, a CNA-LR MUST not assign a CVE ID or publish a CVE Record without first consulting that CNA. This ensures the supplier CNA has the first right of refusal (see CNA Operational Rule [4.2.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment)) and helps prevent dispute cascades while maintaining record quality. +Placing the disputed tag allows consumers to determine whether there has been a dispute for a +record. If the Adjudicator is unable to place the tag for any reason, the TL-Root or Root MUST +update the record on their behalf. ## Dispute Resolution Process 1. Initiating a Dispute - a. The disputing party must document and submit their rationale to the Adjudicator, providing supporting evidence such as issue trackers, security policies, or engineering findings. + a. The disputing party MUST document and submit their rationale to the Adjudicator, providing supporting evidence such as issue trackers, security policies, or engineering findings. 2. Acknowledgment of Receipt - a. The Adjudicator will acknowledge receipt and initiation of the dispute in writing within three business days. + a. The Adjudicator MUST acknowledge receipt and initiation of the dispute in writing within three business days. 3. Tagging the CVE Record - a. If the dispute appears potentially legitimate, the CVE Record should be tagged as disputed while the process is ongoing. + a. If the dispute appears potentially legitimate, the Adjudicator MUST tag the CVE Record as disputed and provide a reason in the CVE Record while the process is ongoing. - b. If the dispute is later deemed invalid or resolved, the disputed tag may be removed. + b. If the dispute is later deemed invalid or resolved, the Adjudicator MUST remove the disputed tag and reason. 4. Review and Stakeholder Engagement - a. The Adjudicator will review the rationale and engage relevant stakeholders as necessary to fully understand the dispute. + a. The Adjudicator MUST review the rationale and engage relevant stakeholders as necessary to fully understand the dispute. 5. Adjudication and Decision Timeline - a. The Adjudicator will apply CNA Operational Rules to assess the dispute and reach a decision within five business days after the three-day acknowledgment period. + a. The Adjudicator MUST apply CNA Operational Rules to assess the dispute and reach a decision within five business days after the three-day acknowledgment period. - b. If additional time is required, the Adjudicator must notify all parties. + b. If additional time is required, the Adjudicator MUST notify all parties. - c. If an extension exceeds 15 business days, the dispute may be escalated to the Root, who will coordinate with the Adjudicator to establish an appropriate resolution timeline. + c. If an extension exceeds 15 business days, any involved party MAY escalate the dispute to the Root, who will coordinate with the Adjudicator to establish an appropriate resolution timeline. ## Dispute Outcomes 1. Valid Dispute - a. The Adjudicator will notify all relevant parties in writing and modify (or initially publish) the CVE Record accordingly. + a. The Adjudicator MUST make reasonable efforts to notify all relevant parties in writing and MUST modify (or initially publish) the CVE Record accordingly. b. If the disputing party agrees with the action, no escalation is required. - c. If the disputing party disagrees, they may escalate the issue. + c. If the disputing party disagrees, they MAY escalate the issue. 2. Invalid Dispute - a. The Adjudicator will notify the disputing party in writing that no changes will be made to the CVE Record. + a. The Adjudicator MUST make reasonable efforts to notify the disputing party in writing that no changes will be made to the CVE Record. b. The disputing party retains the right to escalate the issue. 3. Dispute Reconsideration - a. Any party may provide additional correspondence to support their position if they believe the decision was incorrect. + a. Any party MAY provide additional correspondence to support their position if they believe the decision was incorrect. b. The Adjudicator MAY choose not to respond, taking no further action, effectively leaving the case closed. c. The Adjudicator MAY review and revise the decision. - d. Considerations for reconsideration may include factors such as the severity of the vulnerability and whether the CNA’s publication practices align with industry expectations. + d. Reconsideration criteria could include but is not limited to the severity of the vulnerability and whether the CNA’s publication practices align with industry expectations. - e. If the dispute is escalated, the Root or TL-Root will follow the same procedure. + e. If the dispute is escalated, the Root or TL-Root MUST follow the same procedure. - f. Regardless of the outcome, the Root or TL-Root will inform all parties about the dispute escalation process by referencing this policy. + f. Regardless of the outcome, the Root or TL-Root MUST inform all parties about the dispute escalation process by referencing this policy. 4. Final Dispute Tagging - In cases where the dispute is determined not valid by the final Adjudicator, the CVE Record must be updated to assure any “disputed” tag is removed in a timely manner. + In cases where the dispute is determined not valid by the final Adjudicator, the CVE Record MUST be updated to remove the "disputed" tag in a timely manner. 5. No Resolution Reached - It should be noted that not all disputes require a resolution. There are cases where there will be ongoing disputes after a review. In that case, the CVE Record will continue to be marked as disputed. + It should be noted that not all disputes require a resolution. There are cases where there will be ongoing disputes after a review. In that case, the CVE Record will continue to be tagged as disputed and will continue to provide a reason for the dispute. From 557d6d9a8be26416c244706bca1faf729192afec Mon Sep 17 00:00:00 2001 From: eoinwm <114438429+eoinwm@users.noreply.github.com> Date: Tue, 29 Jul 2025 16:02:53 -0500 Subject: [PATCH 4/6] Add CVE Dispute Policy 2.0.0 --- CVE_Dispute_Policy_2.0.0.md | 127 ++++++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 CVE_Dispute_Policy_2.0.0.md diff --git a/CVE_Dispute_Policy_2.0.0.md b/CVE_Dispute_Policy_2.0.0.md new file mode 100644 index 0000000..060318b --- /dev/null +++ b/CVE_Dispute_Policy_2.0.0.md @@ -0,0 +1,127 @@ +| Status | Approved | +| ---: | --- | +| Version | 2.0.0-dev | +| Adopted | July 2, 2025 | +| Effective | July 2, 2025 | + +# CVE Program Policy and Procedure for Disputing a CVE Record + +## Introduction + +This policy and procedure for disputing CVE Records is enforced by [Top-Level Roots (TL-Root)](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot) and [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot). This policy applies to all CVE Records that are disputed after July 2, 2025. + +## Terms and Definitions + +Specific terms are defined in the [CVE Program Glossary](https://www.cve.org/ResourcesSupport/Glossary) and are capitalized when used in this document. The following fully-capitalized key words explain the requirement levels used in this document: + +* MUST: Mandatory +* MUST NOT: Prohibited +* SHOULD: Recommended +* SHOULD NOT: Not recommended +* MAY: Discretionary + +## CVE Record Dispute Policy and Procedure + +The [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) requires all disputes to be initiated and escalated through the appropriate (TL-) Root hierarchy, beginning with the CVE Numbering Authority ([CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryCNA)) responsible for the affected scope. If the dispute involves a vulnerability determination outside any CNA’s scope, the process may start with a CNA of Last Resort ([CNA-LR](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR)). + +If a disputing party disagrees with the initial decision of a CNA or CNA-LR, the disputing party MAY escalate the matter to the next level in the hierarchy—either a [Root](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot) or [TL-Root](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot)—for further review. TL-Roots’ decisions are final, except in cases involving cross-hierarchy scope issues. + +Disputes spanning multiple hierarchies will be adjudicated by the [Council of Roots](https://www.cve.org/ResourcesSupport/Glossary#glossaryCoR). Final determinations may uphold the Root or TL-Root decision, concluding the discussion. + +The Dispute Resolution Process details can be found below. In cases involving significant cross-scope aspects, relevant parties SHOULD meet to identify the root cause and determine the most appropriate scope, following guidance from the [CVE Program Rules](https://www.cve.org/resourcessupport/allresources/cnarules). + +CVE Records may be disputed for a variety of reasons by various stakeholders participating in the CVE Program. Examples include disputes both before and after the creation of a CVE Record: + +1. During Vulnerability Determination + + a. CVE Record Validity: One party contends that a CVE Record should be created, and another party (e.g., a Supplier CNA or CNA-LR) contends that it should not because it is not a valid vulnerability. + + b. Publish as Disputed: While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA or CNA-LR MAY decide to assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a disputed tag. + +2. After CVE Record Creation + + a. CVE Record Validity: A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a CNA-LR MAY publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the Supplier may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and Supplier assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the Supplier. Third parties MAY also dispute a CVE Record. + + b. CNA Operational Rules Violations: One party contends that the Assignment(s) and Publication(s) of CVE Record(s) are in violation of the CVE Program rules. This covers use cases such as scoping. + + c. Assignment Disagreement: One party contends that a CVE Record(s) should be curated in a manner contrary to the assigning party (e.g., situations where the Assigner and a Researcher disagree on how many CVEs should be assigned to a particular issue). + +## Process Overview + +CNAs, Roots, and TL-Roots MAY serve as CVE Record dispute Adjudicators when necessary. To ensure transparency, each Adjudicator MUST provide a public-facing method for CVE Program stakeholders to initiate and escalate disputes (see CNA Operational Rule [3.2.3.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3-2_CNA_Administration)). Additionally, Adjudicators MUST either host this policy on their public website or provide a direct URL to it, ensuring stakeholders are aware of the dispute resolution process. + +CNAs, Roots, and TL-Roots have the flexibility to manage disputes and escalations using methods that best suit their operations, as long as they remain consistent with this policy. TL-Roots, however, hold a unique responsibility to coordinate among themselves when handling disputes involving cross-hierarchy implications. + +Dispute and escalation processes must be timely, effective, and aligned with CVE Program rules. Each party involved in a dispute MUST document their rationale, ensuring a structured and transparent escalation process as outlined below. + +If the Supplier is a CNA, a CNA-LR MUST not assign a CVE ID or publish a CVE Record without first consulting that CNA. This ensures the supplier CNA has the first right of refusal (see CNA Operational Rule [4.2.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment)) and helps prevent dispute cascades while maintaining record quality. + +Placing the disputed tag allows consumers to determine whether there has been a dispute for a +record. If the Adjudicator is unable to place the tag for any reason, the TL-Root or Root MUST +update the record on their behalf. + +## Dispute Resolution Process + +1. Initiating a Dispute + + a. The disputing party MUST document and submit their rationale to the Adjudicator, providing supporting evidence such as issue trackers, security policies, or engineering findings. + +2. Acknowledgment of Receipt + + a. The Adjudicator MUST acknowledge receipt and initiation of the dispute in writing within three business days. + +3. Tagging the CVE Record + + a. If the dispute appears potentially legitimate, the Adjudicator MUST tag the CVE Record as disputed and provide a reason in the CVE Record while the process is ongoing. + + b. If the dispute is later deemed invalid or resolved, the Adjudicator MUST remove the disputed tag and reason. + +4. Review and Stakeholder Engagement + + a. The Adjudicator MUST review the rationale and engage relevant stakeholders as necessary to fully understand the dispute. + +5. Adjudication and Decision Timeline + + a. The Adjudicator MUST apply CNA Operational Rules to assess the dispute and reach a decision within five business days after the three-day acknowledgment period. + + b. If additional time is required, the Adjudicator MUST notify all parties. + + c. If an extension exceeds 15 business days, any involved party MAY escalate the dispute to the Root, who will coordinate with the Adjudicator to establish an appropriate resolution timeline. + +## Dispute Outcomes + +1. Valid Dispute + + a. The Adjudicator MUST make reasonable efforts to notify all relevant parties in writing and MUST modify (or initially publish) the CVE Record accordingly. + + b. If the disputing party agrees with the action, no escalation is required. + + c. If the disputing party disagrees, they MAY escalate the issue. + +2. Invalid Dispute + + a. The Adjudicator MUST make reasonable efforts to notify the disputing party in writing that no changes will be made to the CVE Record. + + b. The disputing party retains the right to escalate the issue. + +3. Dispute Reconsideration + + a. Any party MAY provide additional correspondence to support their position if they believe the decision was incorrect. + + b. The Adjudicator MAY choose not to respond, taking no further action, effectively leaving the case closed. + + c. The Adjudicator MAY review and revise the decision. + + d. Reconsideration criteria could include but is not limited to the severity of the vulnerability and whether the CNA’s publication practices align with industry expectations. + + e. If the dispute is escalated, the Root or TL-Root MUST follow the same procedure. + + f. Regardless of the outcome, the Root or TL-Root MUST inform all parties about the dispute escalation process by referencing this policy. + +4. Final Dispute Tagging + + In cases where the dispute is determined not valid by the final Adjudicator, the CVE Record MUST be updated to remove the "disputed" tag in a timely manner. + +5. No Resolution Reached + + It should be noted that not all disputes require a resolution. There are cases where there will be ongoing disputes after a review. In that case, the CVE Record will continue to be tagged as disputed and will continue to provide a reason for the dispute. From 7e31ccc0f8c0ec9d5ea6a96680413a4c89eb3301 Mon Sep 17 00:00:00 2001 From: eoinwm <114438429+eoinwm@users.noreply.github.com> Date: Wed, 30 Jul 2025 08:56:08 -0500 Subject: [PATCH 5/6] Delete CVE_Dispute_Policy.md remove old Dispute Policy --- CVE_Dispute_Policy.md | 127 ------------------------------------------ 1 file changed, 127 deletions(-) delete mode 100644 CVE_Dispute_Policy.md diff --git a/CVE_Dispute_Policy.md b/CVE_Dispute_Policy.md deleted file mode 100644 index dcdddbf..0000000 --- a/CVE_Dispute_Policy.md +++ /dev/null @@ -1,127 +0,0 @@ -| Status | Approved | -| ---: | --- | -| Version | 2.0.0 | -| Adopted | July 2, 2025 | -| Effective | July 2, 2025 | - -# CVE Program Policy and Procedure for Disputing a CVE Record - -## Introduction - -This policy and procedure for disputing CVE Records is enforced by [Top-Level Roots (TL-Root)](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot) and [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot). This policy applies to all CVE Records that are disputed after July 2, 2025. - -## Terms and Definitions - -Specific terms are defined in the [CVE Program Glossary](https://www.cve.org/ResourcesSupport/Glossary) and are capitalized when used in this document. The following fully-capitalized key words explain the requirement levels used in this document: - -* MUST: Mandatory -* MUST NOT: Prohibited -* SHOULD: Recommended -* SHOULD NOT: Not recommended -* MAY: Discretionary - -## CVE Record Dispute Policy and Procedure - -The [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) requires all disputes to be initiated and escalated through the appropriate (TL-) Root hierarchy, beginning with the CVE Numbering Authority ([CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryCNA)) responsible for the affected scope. If the dispute involves a vulnerability determination outside any CNA’s scope, the process may start with a CNA of Last Resort ([CNA-LR](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR)). - -If a disputing party disagrees with the initial decision of a CNA or CNA-LR, the disputing party MAY escalate the matter to the next level in the hierarchy—either a [Root](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot) or [TL-Root](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot)—for further review. TL-Roots’ decisions are final, except in cases involving cross-hierarchy scope issues. - -Disputes spanning multiple hierarchies will be adjudicated by the [Council of Roots](https://www.cve.org/ResourcesSupport/Glossary#glossaryCoR). Final determinations may uphold the Root or TL-Root decision, concluding the discussion. - -The Dispute Resolution Process details can be found below. In cases involving significant cross-scope aspects, relevant parties SHOULD meet to identify the root cause and determine the most appropriate scope, following guidance from the [CVE Program Rules](https://www.cve.org/resourcessupport/allresources/cnarules). - -CVE Records may be disputed for a variety of reasons by various stakeholders participating in the CVE Program. Examples include disputes both before and after the creation of a CVE Record: - -1. During Vulnerability Determination - - a. CVE Record Validity: One party contends that a CVE Record should be created, and another party (e.g., a Supplier CNA or CNA-LR) contends that it should not because it is not a valid vulnerability. - - b. Publish as Disputed: While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA or CNA-LR MAY decide to assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a disputed tag. - -2. After CVE Record Creation - - a. CVE Record Validity: A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a CNA-LR MAY publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the Supplier may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and Supplier assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the Supplier. Third parties MAY also dispute a CVE Record. - - b. CNA Operational Rules Violations: One party contends that the Assignment(s) and Publication(s) of CVE Record(s) are in violation of the CVE Program rules. This covers use cases such as scoping. - - c. Assignment Disagreement: One party contends that a CVE Record(s) should be curated in a manner contrary to the assigning party (e.g., situations where the Assigner and a Researcher disagree on how many CVEs should be assigned to a particular issue). - -## Process Overview - -CNAs, Roots, and TL-Roots MAY serve as CVE Record dispute Adjudicators when necessary. To ensure transparency, each Adjudicator MUST provide a public-facing method for CVE Program stakeholders to initiate and escalate disputes (see CNA Operational Rule [3.2.3.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3-2_CNA_Administration)). Additionally, Adjudicators MUST either host this policy on their public website or provide a direct URL to it, ensuring stakeholders are aware of the dispute resolution process. - -CNAs, Roots, and TL-Roots have the flexibility to manage disputes and escalations using methods that best suit their operations, as long as they remain consistent with this policy. TL-Roots, however, hold a unique responsibility to coordinate among themselves when handling disputes involving cross-hierarchy implications. - -Dispute and escalation processes must be timely, effective, and aligned with CVE Program rules. Each party involved in a dispute MUST document their rationale, ensuring a structured and transparent escalation process as outlined below. - -If the Supplier is a CNA, a CNA-LR MUST not assign a CVE ID or publish a CVE Record without first consulting that CNA. This ensures the supplier CNA has the first right of refusal (see CNA Operational Rule [4.2.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment)) and helps prevent dispute cascades while maintaining record quality. - -Placing the disputed tag allows consumers to determine whether there has been a dispute for a -record. If the Adjudicator is unable to place the tag for any reason, the TL-Root or Root MUST -update the record on their behalf. - -## Dispute Resolution Process - -1. Initiating a Dispute - - a. The disputing party MUST document and submit their rationale to the Adjudicator, providing supporting evidence such as issue trackers, security policies, or engineering findings. - -2. Acknowledgment of Receipt - - a. The Adjudicator MUST acknowledge receipt and initiation of the dispute in writing within three business days. - -3. Tagging the CVE Record - - a. If the dispute appears potentially legitimate, the Adjudicator MUST tag the CVE Record as disputed and provide a reason in the CVE Record while the process is ongoing. - - b. If the dispute is later deemed invalid or resolved, the Adjudicator MUST remove the disputed tag and reason. - -4. Review and Stakeholder Engagement - - a. The Adjudicator MUST review the rationale and engage relevant stakeholders as necessary to fully understand the dispute. - -5. Adjudication and Decision Timeline - - a. The Adjudicator MUST apply CNA Operational Rules to assess the dispute and reach a decision within five business days after the three-day acknowledgment period. - - b. If additional time is required, the Adjudicator MUST notify all parties. - - c. If an extension exceeds 15 business days, any involved party MAY escalate the dispute to the Root, who will coordinate with the Adjudicator to establish an appropriate resolution timeline. - -## Dispute Outcomes - -1. Valid Dispute - - a. The Adjudicator MUST make reasonable efforts to notify all relevant parties in writing and MUST modify (or initially publish) the CVE Record accordingly. - - b. If the disputing party agrees with the action, no escalation is required. - - c. If the disputing party disagrees, they MAY escalate the issue. - -2. Invalid Dispute - - a. The Adjudicator MUST make reasonable efforts to notify the disputing party in writing that no changes will be made to the CVE Record. - - b. The disputing party retains the right to escalate the issue. - -3. Dispute Reconsideration - - a. Any party MAY provide additional correspondence to support their position if they believe the decision was incorrect. - - b. The Adjudicator MAY choose not to respond, taking no further action, effectively leaving the case closed. - - c. The Adjudicator MAY review and revise the decision. - - d. Reconsideration criteria could include but is not limited to the severity of the vulnerability and whether the CNA’s publication practices align with industry expectations. - - e. If the dispute is escalated, the Root or TL-Root MUST follow the same procedure. - - f. Regardless of the outcome, the Root or TL-Root MUST inform all parties about the dispute escalation process by referencing this policy. - -4. Final Dispute Tagging - - In cases where the dispute is determined not valid by the final Adjudicator, the CVE Record MUST be updated to remove the "disputed" tag in a timely manner. - -5. No Resolution Reached - - It should be noted that not all disputes require a resolution. There are cases where there will be ongoing disputes after a review. In that case, the CVE Record will continue to be tagged as disputed and will continue to provide a reason for the dispute. From 62d37ff546fada3d4ee21aadaeb75d7351014d93 Mon Sep 17 00:00:00 2001 From: eoinwm <114438429+eoinwm@users.noreply.github.com> Date: Wed, 30 Jul 2025 08:56:43 -0500 Subject: [PATCH 6/6] Update and rename CVE_Dispute_Policy_2.0.0.md to CVE_Dispute_Policy.md Replace old CVE Dispute Policy with 2.0.0 --- CVE_Dispute_Policy_2.0.0.md => CVE_Dispute_Policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename CVE_Dispute_Policy_2.0.0.md => CVE_Dispute_Policy.md (98%) diff --git a/CVE_Dispute_Policy_2.0.0.md b/CVE_Dispute_Policy.md similarity index 98% rename from CVE_Dispute_Policy_2.0.0.md rename to CVE_Dispute_Policy.md index 060318b..dcdddbf 100644 --- a/CVE_Dispute_Policy_2.0.0.md +++ b/CVE_Dispute_Policy.md @@ -1,6 +1,6 @@ | Status | Approved | | ---: | --- | -| Version | 2.0.0-dev | +| Version | 2.0.0 | | Adopted | July 2, 2025 | | Effective | July 2, 2025 |