From 4dfcc11b86035b56f1ed3becbbee7eb8f062780c Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 7 Oct 2025 13:46:35 -0700 Subject: [PATCH 1/7] Add schema property --- schema/CVE_Record_Format.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index aaf5f5adb7c..8034458f6da 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -87,6 +87,10 @@ "format": "date", "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$" }, + "discussionForum": { + "description": "The canonical forum for discussing CVE details.", + "$ref": "#/definitions/uriType" + }, "timestamp": { "type": "string", "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", From 2964bc082577fadcf63e30c3d90cc292a42a85d7 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Thu, 9 Oct 2025 12:44:27 -0700 Subject: [PATCH 2/7] Add to containers --- schema/CVE_Record_Format.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 8034458f6da..45dfdc34281 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -622,6 +622,9 @@ "references": { "$ref": "#/definitions/references" }, + "discussionForum": { + "$ref": "#/definitions/discussionForum" + }, "impacts": { "$ref": "#/definitions/impacts" }, @@ -731,6 +734,9 @@ "problemTypes": { "$ref": "#/definitions/problemTypes" }, + "discussionForum": { + "$ref": "#/definitions/discussionForum" + }, "references": { "$ref": "#/definitions/references" }, From 2ea959b95a4a5247f20ddeaf4a48366d8b208624 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 15 Oct 2025 13:06:40 -0700 Subject: [PATCH 3/7] Add rfd file --- rfds/0000-public-forum-link.md | 83 ++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 rfds/0000-public-forum-link.md diff --git a/rfds/0000-public-forum-link.md b/rfds/0000-public-forum-link.md new file mode 100644 index 00000000000..b70bcad92f3 --- /dev/null +++ b/rfds/0000-public-forum-link.md @@ -0,0 +1,83 @@ +# Optional discussion forum advertisement + +| Field | Value | +|:-----------------|:-------| +| RFD Submitter | Jon Moroney | +| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/1234) | + +## Summary +[summary]: #summary + +Introduce an optional field to advertise a public comment forum. The goal is to ensure that record readers know where to go to inquire about or dispute record details. Ensuring there's a standard format allows tools to advertise feedback points which in turn allows more CNAs to take feedback and to iteritvly improve the quality of their record sets. + +## Problem Statement +[problem-statement]: #problem-statement + +By the nature of multitude of possible ways an advisory disclosure may conclude, CVE records are often incomplete or inaccurate at time of publication. As details and context come to light individuals will notice the deficiencies and ideally the individual reports and resolves their observation with the record owner. More eyeballs tend to find more bugs and the community as a whole benefits from an advisory corpus which improves over time. + +## Proposed Solution +[proposed-solution]: #proposed-solution + +This RFD proposes one new optional CVE property of the form + +``` +"discussionForum": { + "description": "The canonical forum for discussing CVE details.", + "$ref": "#/definitions/uriType" + }, +``` + +The details are not set in stone, but the idea is to provide a URL which points a consumer of a CVE in the right direction should they have issue with the record. Tooling could even integrate this into how records are presented. Ideally this is public both for the benefit of community knowledge and to reduce duplicate work on the part of the humans tasked to operate the forum. + +## Examples +[examples]: #examples + +Both Github and CISA are already operating feedback forums. + +https://github.com/github/advisory-database/ +and +https://github.com/cisagov/vulnrichment + +## Impact Assessment +[impact-assessment]: #impact-assessment + +Low. This field can be safely ignored. + +## Compatibility and Migration +[compatibility-and-migration]: #compatibility-and-migration + +It adds one optional property + +## Success Metrics +[success-metrics]: #success-metrics + +Success would be CNAs/ADPs other than Github and CISA standing up feedback forums and welcoming feedback. + +## Supporting Data or Research +[supporting-data-or-research]: #supporting-data-or-research + +Seems to be working well for Github and CISA. + +## Related Issues or Proposals +[related-issues-or-proposals]: #related-issues-or-proposals + +None + +## Recommended Priority +[recommended-priority]: #recommended-priority + +Medium + +## Unresolved Questions +[unresolved-questions]: #unresolved-questions + +How to handle the case where an adp and cna both publish unique discussion forums. +* Let both/all exist? +* First come first serve and reject others? +* Have some process to give up claim/transfer with this? +* Something else? + +## Future Possibilities +[future-possibilities]: #future-possibilities + +I'd love to see a CNA use this field dynamically such that the record for CVE-808-12345 would point to the individual topic for that CVE record. With this approach user would be welcomed to an ongoing conversation rathar than needing to search. \ No newline at end of file From c21bdc90d073ff322bc14531dfdda300bc2cd5f9 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Wed, 15 Oct 2025 13:10:12 -0700 Subject: [PATCH 4/7] Update rfd with pr number --- rfds/0000-public-forum-link.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rfds/0000-public-forum-link.md b/rfds/0000-public-forum-link.md index b70bcad92f3..df8383ea421 100644 --- a/rfds/0000-public-forum-link.md +++ b/rfds/0000-public-forum-link.md @@ -3,7 +3,7 @@ | Field | Value | |:-----------------|:-------| | RFD Submitter | Jon Moroney | -| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/1234) | +| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/462) | ## Summary [summary]: #summary @@ -80,4 +80,4 @@ How to handle the case where an adp and cna both publish unique discussion forum ## Future Possibilities [future-possibilities]: #future-possibilities -I'd love to see a CNA use this field dynamically such that the record for CVE-808-12345 would point to the individual topic for that CVE record. With this approach user would be welcomed to an ongoing conversation rathar than needing to search. \ No newline at end of file +I'd love to see a CNA use this field dynamically such that the record for CVE-808-12345 would point to the individual topic for that CVE record. With this approach user would be welcomed to an ongoing conversation rathar than needing to search. From 6a315052989bdd839727d262cd9f105e0396f8c7 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 21 Oct 2025 13:54:47 -0700 Subject: [PATCH 5/7] Add tag --- schema/tags/reference-tags.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema/tags/reference-tags.json b/schema/tags/reference-tags.json index 41a1aebe7af..16d6762dc93 100644 --- a/schema/tags/reference-tags.json +++ b/schema/tags/reference-tags.json @@ -22,6 +22,7 @@ "technical-description", "third-party-advisory", "vendor-advisory", - "vdb-entry" + "vdb-entry", + "discussion-forum" ] } \ No newline at end of file From 36c1bf9fdf803971bd9789e11c8e15dce821cf43 Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 21 Oct 2025 13:55:01 -0700 Subject: [PATCH 6/7] Revert new property --- schema/CVE_Record_Format.json | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/schema/CVE_Record_Format.json b/schema/CVE_Record_Format.json index 45dfdc34281..aaf5f5adb7c 100644 --- a/schema/CVE_Record_Format.json +++ b/schema/CVE_Record_Format.json @@ -87,10 +87,6 @@ "format": "date", "pattern": "^((2000|2400|2800|(19|2[0-9](0[48]|[2468][048]|[13579][26])))-02-29)|(((19|2[0-9])[0-9]{2})-02-(0[1-9]|1[0-9]|2[0-8]))|(((19|2[0-9])[0-9]{2})-(0[13578]|10|12)-(0[1-9]|[12][0-9]|3[01]))|(((19|2[0-9])[0-9]{2})-(0[469]|11)-(0[1-9]|[12][0-9]|30))$" }, - "discussionForum": { - "description": "The canonical forum for discussing CVE details.", - "$ref": "#/definitions/uriType" - }, "timestamp": { "type": "string", "description": "Date/time format based on RFC3339 and ISO ISO8601, with an optional timezone in the format 'yyyy-MM-ddTHH:mm:ss[+-]ZH:ZM'. If timezone offset is not given, GMT (+00:00) is assumed.", @@ -622,9 +618,6 @@ "references": { "$ref": "#/definitions/references" }, - "discussionForum": { - "$ref": "#/definitions/discussionForum" - }, "impacts": { "$ref": "#/definitions/impacts" }, @@ -734,9 +727,6 @@ "problemTypes": { "$ref": "#/definitions/problemTypes" }, - "discussionForum": { - "$ref": "#/definitions/discussionForum" - }, "references": { "$ref": "#/definitions/references" }, From 0923f5b935c5c3d8511789500a83448fc8b9171a Mon Sep 17 00:00:00 2001 From: Jon Moroney Date: Tue, 21 Oct 2025 13:56:57 -0700 Subject: [PATCH 7/7] Update rfd text to reflect tag change --- rfds/0000-public-forum-link.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rfds/0000-public-forum-link.md b/rfds/0000-public-forum-link.md index df8383ea421..01a7d2c892d 100644 --- a/rfds/0000-public-forum-link.md +++ b/rfds/0000-public-forum-link.md @@ -18,13 +18,10 @@ By the nature of multitude of possible ways an advisory disclosure may conclude, ## Proposed Solution [proposed-solution]: #proposed-solution -This RFD proposes one new optional CVE property of the form +This RFD proposes one reference type ``` -"discussionForum": { - "description": "The canonical forum for discussing CVE details.", - "$ref": "#/definitions/uriType" - }, +"discussion-forum" ``` The details are not set in stone, but the idea is to provide a URL which points a consumer of a CVE in the right direction should they have issue with the record. Tooling could even integrate this into how records are presented. Ideally this is public both for the benefit of community knowledge and to reduce duplicate work on the part of the humans tasked to operate the forum. @@ -46,7 +43,7 @@ Low. This field can be safely ignored. ## Compatibility and Migration [compatibility-and-migration]: #compatibility-and-migration -It adds one optional property +It adds one new reference type ## Success Metrics [success-metrics]: #success-metrics @@ -80,4 +77,4 @@ How to handle the case where an adp and cna both publish unique discussion forum ## Future Possibilities [future-possibilities]: #future-possibilities -I'd love to see a CNA use this field dynamically such that the record for CVE-808-12345 would point to the individual topic for that CVE record. With this approach user would be welcomed to an ongoing conversation rathar than needing to search. +I'd love to see a CNA use this dynamically such that the record for CVE-808-12345 would point to the individual topic for that CVE record. With this approach user would be welcomed to an ongoing conversation rathar than needing to search.