Skip to content

Updating Dispute policy #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: dispute
Choose a base branch
from
Open

Updating Dispute policy #22

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c29d399
NEW CVE_Dispute_Policy.md
eoinwm Jun 4, 2025
17730e9
change heading/version to draft/2.0.0-dev
zmanion Jun 4, 2025
9d50e1b
Update CVE_Dispute_Policy.md
eoinwm Jul 29, 2025
557d6d9
Add CVE Dispute Policy 2.0.0
eoinwm Jul 29, 2025
7e31ccc
Delete CVE_Dispute_Policy.md
eoinwm Jul 30, 2025
62d37ff
Update and rename CVE_Dispute_Policy_2.0.0.md to CVE_Dispute_Policy.md
eoinwm Jul 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 100 additions & 28 deletions CVE_Dispute_Policy.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,127 @@
| Status | Final |
| Status | Approved |
| ---: | --- |
| Version | 1.0 |
| Adopted | 2022-09-22 |
| Effective | 2022-09-22 |
| Version | 2.0.0 |
| Adopted | July 2, 2025 |
| Effective | July 2, 2025 |

# CVE Program Policy and Procedure for Disputing a CVE Record

This policy and procedure is enforced by [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot), [Top-Level Roots (TLR)](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryTLRoot), and the Council of Roots (CoR).
## Introduction

## Definitions
This policy and procedure for disputing CVE Records is enforced by [Top-Level Roots (TL-Root)](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot) and [Roots](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot). This policy applies to all CVE Records that are disputed after July 2, 2025.

* **Disputes:** Disagreements with the accuracy or completeness of a [CVE Record](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRecord), or the validity of a vulnerability upon which a CVE Record is based.
## Terms and Definitions

* **Escalation:** The process by which disputes are evaluated and resolved.
Specific terms are defined in the [CVE Program Glossary](https://www.cve.org/ResourcesSupport/Glossary) and are capitalized when used in this document. The following fully-capitalized key words explain the requirement levels used in this document:

## Policy
* MUST: Mandatory
* MUST NOT: Prohibited
* SHOULD: Recommended
* SHOULD NOT: Not recommended
* MAY: Discretionary

It is the policy of the [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) that all disputes be initiated and escalated through the appropriate Root hierarchy, starting with the CVE Numbering Authority (CNA) within the hierarchy that owns the scope for which the record applies. Should any party in a dispute not accept the decision of the Root or TLR within a hierarchy, the CoR may decide to get involved and make the decision. All CoR decisions are final.
## CVE Record Dispute Policy and Procedure

CVE Records may be disputed for a variety of reasons by various stakeholders participating in the CVE Program. Examples include:
The [CVE Program](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryProgram) requires all disputes to be initiated and escalated through the appropriate (TL-) Root hierarchy, beginning with the CVE Numbering Authority ([CNA](https://www.cve.org/ResourcesSupport/Glossary#glossaryCNA)) responsible for the affected scope. If the dispute involves a vulnerability determination outside any CNA’s scope, the process may start with a CNA of Last Resort ([CNA-LR](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR)).

* **Record accuracy:** A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a [CNA of Last Resort (CNA-LR)](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNALR) may publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the developer of the technology (i.e., a vendor or maintainer), may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and vendor or maintainer assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the technology vendor or maintainer. Third parties may also dispute a CVE Record if they can put forth a valid point of view.
If a disputing party disagrees with the initial decision of a CNA or CNA-LR, the disputing party MAY escalate the matter to the next level in the hierarchy—either a [Root](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryRoot) or [TL-Root](https://www.cve.org/ResourcesSupport/Glossary#glossaryTLRoot)—for further review. TL-Roots’ decisions are final, except in cases involving cross-hierarchy scope issues.

* **Incomplete information:** A Published CVE Record may lack sufficient information for the vulnerability to be re-created by a CVE Program stakeholder. In this case, the technology vendor, maintainer, or third party may dispute the CVE Record.
Disputes spanning multiple hierarchies will be adjudicated by the [Council of Roots](https://www.cve.org/ResourcesSupport/Glossary#glossaryCoR). Final determinations may uphold the Root or TL-Root decision, concluding the discussion.

* **Disputed upon CVE Record creation:** While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates that a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA-LR may assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a DISPUTED tag.
The Dispute Resolution Process details can be found below. In cases involving significant cross-scope aspects, relevant parties SHOULD meet to identify the root cause and determine the most appropriate scope, following guidance from the [CVE Program Rules](https://www.cve.org/resourcessupport/allresources/cnarules).

CNAs, Roots, and TLRs must have a publicly facing way for CVE Program stakeholders to initiate dispute and escalation processes. They must also include a URL to this policy or include this policy on their public-facing website so that CVE Program stakeholders understand that disputes can be made, and that a process exists for both initiating and escalating a dispute.
CVE Records may be disputed for a variety of reasons by various stakeholders participating in the CVE Program. Examples include disputes both before and after the creation of a CVE Record:

CNAs, Roots, and TLRs may coordinate the dispute and escalation process, consistent with this policy, by whatever means work best for them. Dispute and escalation processes must be timely, effective, and based on the application of CVE Program rules. Each party in a dispute must document their rationale regarding a dispute. Such documentation must be in a common text format such as a text entry box in a web form, or a Markdown document. This is necessary to effectively orchestrate the dispute escalation procedure described below. The final arbiter of a dispute is the CoR, should the CoR decide to consider the dispute. CoR decisions are final and may not be appealed. This includes determining that the TLR decision is appropriate, and no further discussion is required.
1. During Vulnerability Determination

It is expected that very few disputes will require adjudication by the CoR. The CoR will determine what cases require its intervention. However, the CoR may not intervene until the escalation process is complete within a TLR hierarchy. Should the CoR decide not to intervene, the decision of the TLR will be final, with no recourse for appeal. Cases where the CoR chooses to intervene typically represent a set of uncommon circumstances. In these cases, the [CVE Board](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryBoard) must be informed so the circumstances driving the dispute can be considered in terms of potential enhancements to this policy or other program policies and rules.
a. CVE Record Validity: One party contends that a CVE Record should be created, and another party (e.g., a Supplier CNA or CNA-LR) contends that it should not because it is not a valid vulnerability.

If the technology vendor or maintainer is a CNA, a CNA-LR must not assign a CVE ID and publish a CVE Record without first conferring with that CNA, to minimize cascades of disputes and maximize record quality.
b. Publish as Disputed: While infrequent, some CVE Records are created in disputed status. This occurs when the original reference for the record indicates a bug exists, but there are differences of opinion about whether the bug is a vulnerability based on the CVE Program’s definition. The existence of a patch for a bug does not demonstrably prove that a vulnerability exists. In this case, a CNA or CNA-LR MAY decide to assign a [CVE ID](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEID) and publish a CVE Record with a disputed tag.

## Procedure
2. After CVE Record Creation

![CVE Dispute Process Flowchart](assets/dispute_flowchart.png)
a. CVE Record Validity: A published CVE Record may contain information that a program stakeholder believes is inaccurate. For example, a CNA-LR MAY publish a CVE Record to the [CVE List](https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCVEList) based on a claim-based vulnerability report submitted by a third party (e.g., an independent researcher). In this example, the Supplier may believe the technology is behaving as intended and no vulnerability exists. When both a claim-based vulnerability report and Supplier assertion of technology behavior are in conflict, and there is insufficient information to demonstrably prove one point of view over another, the CVE Record may be disputed by the Supplier. Third parties MAY also dispute a CVE Record.

1. The party initiating the dispute must document their rationale for the dispute and submit the rationale to the CNA. The disputing party should provide evidence and rationale as a basis for the dispute (e.g., issue trackers, application security policy, findings).
b. CNA Operational Rules Violations: One party contends that the Assignment(s) and Publication(s) of CVE Record(s) are in violation of the CVE Program rules. This covers use cases such as scoping.

2. The CNA will acknowledge receipt of the dispute, in writing, within three business days.
c. Assignment Disagreement: One party contends that a CVE Record(s) should be curated in a manner contrary to the assigning party (e.g., situations where the Assigner and a Researcher disagree on how many CVEs should be assigned to a particular issue).

3. The CNA will review the rationale and engage the appropriate stakeholders, as necessary, to develop an understanding of the basis for the dispute.
## Process Overview

4. The CNA will apply the CNA Operational Rules against the dispute rationale and will decide within five business days regarding the validity of the dispute. The five-day period will begin after the 72-hour receipt and acknowledgment period ends. Should the fiveday period be an inadequate span of time, the CNA will inform the parties in the dispute that more time is needed. Should any extension of time exceed 15 business days, the dispute may be escalated to the Root. In this case, the Root will confer with the CNA to determine an appropriate time frame.
CNAs, Roots, and TL-Roots MAY serve as CVE Record dispute Adjudicators when necessary. To ensure transparency, each Adjudicator MUST provide a public-facing method for CVE Program stakeholders to initiate and escalate disputes (see CNA Operational Rule [3.2.3.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_3-2_CNA_Administration)). Additionally, Adjudicators MUST either host this policy on their public website or provide a direct URL to it, ensuring stakeholders are aware of the dispute resolution process.

a) *Valid dispute:* The CNA will notify the parties of concern in writing of the decision and will modify the CVE Record. Should this be the outcome, provided the disputing party agrees with the modification, no escalation is required. The disputing party may escalate the issue should they disagree with the record modification.
CNAs, Roots, and TL-Roots have the flexibility to manage disputes and escalations using methods that best suit their operations, as long as they remain consistent with this policy. TL-Roots, however, hold a unique responsibility to coordinate among themselves when handling disputes involving cross-hierarchy implications.

b) *Invalid dispute:* The CNA will notify the disputing party of the decision in writing, indicating that no record modification will be made. The disputing party may escalate the issue in this case.
Dispute and escalation processes must be timely, effective, and aligned with CVE Program rules. Each party involved in a dispute MUST document their rationale, ensuring a structured and transparent escalation process as outlined below.

Should the escalation process be initiated, the Root, TLR, and CoR will follow the same procedure. Regardless of the outcome of a dispute, the Root, TLR, or CoR, will inform the parties in a dispute of the dispute escalation process. This can be done by pointing to this policy.
If the Supplier is a CNA, a CNA-LR MUST not assign a CVE ID or publish a CVE Record without first consulting that CNA. This ensures the supplier CNA has the first right of refusal (see CNA Operational Rule [4.2.1](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_4-2_CVE_ID_Assignment)) and helps prevent dispute cascades while maintaining record quality.

In cases where the dispute is valid, but the CNA will not modify the CVE Record, the appropriate CNA-LR will tag the CVE Record with the DISPUTED tag and will provide the rationale for the validity of the dispute. This step will be taken after the dispute escalation process has run its course.
Placing the disputed tag allows consumers to determine whether there has been a dispute for a
record. If the Adjudicator is unable to place the tag for any reason, the TL-Root or Root MUST
update the record on their behalf.

## Dispute Resolution Process

1. Initiating a Dispute

a. The disputing party MUST document and submit their rationale to the Adjudicator, providing supporting evidence such as issue trackers, security policies, or engineering findings.

2. Acknowledgment of Receipt

a. The Adjudicator MUST acknowledge receipt and initiation of the dispute in writing within three business days.

3. Tagging the CVE Record

a. If the dispute appears potentially legitimate, the Adjudicator MUST tag the CVE Record as disputed and provide a reason in the CVE Record while the process is ongoing.

b. If the dispute is later deemed invalid or resolved, the Adjudicator MUST remove the disputed tag and reason.

4. Review and Stakeholder Engagement

a. The Adjudicator MUST review the rationale and engage relevant stakeholders as necessary to fully understand the dispute.

5. Adjudication and Decision Timeline

a. The Adjudicator MUST apply CNA Operational Rules to assess the dispute and reach a decision within five business days after the three-day acknowledgment period.

b. If additional time is required, the Adjudicator MUST notify all parties.

c. If an extension exceeds 15 business days, any involved party MAY escalate the dispute to the Root, who will coordinate with the Adjudicator to establish an appropriate resolution timeline.

## Dispute Outcomes

1. Valid Dispute

a. The Adjudicator MUST make reasonable efforts to notify all relevant parties in writing and MUST modify (or initially publish) the CVE Record accordingly.

b. If the disputing party agrees with the action, no escalation is required.

c. If the disputing party disagrees, they MAY escalate the issue.

2. Invalid Dispute

a. The Adjudicator MUST make reasonable efforts to notify the disputing party in writing that no changes will be made to the CVE Record.

b. The disputing party retains the right to escalate the issue.

3. Dispute Reconsideration

a. Any party MAY provide additional correspondence to support their position if they believe the decision was incorrect.

b. The Adjudicator MAY choose not to respond, taking no further action, effectively leaving the case closed.

c. The Adjudicator MAY review and revise the decision.

d. Reconsideration criteria could include but is not limited to the severity of the vulnerability and whether the CNA’s publication practices align with industry expectations.

e. If the dispute is escalated, the Root or TL-Root MUST follow the same procedure.

f. Regardless of the outcome, the Root or TL-Root MUST inform all parties about the dispute escalation process by referencing this policy.

4. Final Dispute Tagging

In cases where the dispute is determined not valid by the final Adjudicator, the CVE Record MUST be updated to remove the "disputed" tag in a timely manner.

5. No Resolution Reached

It should be noted that not all disputes require a resolution. There are cases where there will be ongoing disputes after a review. In that case, the CVE Record will continue to be tagged as disputed and will continue to provide a reason for the dispute.