Reporting Capability For CVE Records That Haven’t Been Populated Despite Details Being Public

[PluginVulnerabilities]

Proposed New Idea/Feature (required)

We keep running across publicly listed CVE IDs where CNAs are not populating the CVE record, but releasing details in to their own systems. This is sometimes true even months after they added it to their own system. Currently, there isn’t a mechanism to report this and therefore a method to monitor for CNAs repeatedly failing to populate CVE records despite publicly listing associated CVE IDs for them.

Additional Notes (Optional)

In addition to reporting a URL where the public usage can be seen, an option to list the date it was made public would increase the value of the data.

[zmanion]

There is an existing mechanism, although it could be more automated: https://cveform.mitre.org/ (select "Notify CVE about a publication").

While it doesn't directly address the new feature, the proposed changes to the CNA Operational Rules will specify tighter timelines for CNAs to populate Records for CVE IDs they own.