Inactive CNA discussion #22
Description
The Board and Program have recently been discussing inactive CNAs. There are perhaps three interwoven topics:
- Criteria for approving new CNAs
- Handling inactive CNAs (see the current CVE Program Policy and Procedure for Inactive CNAs)
- CVE Record information quality and completeness (related: the CNA Enrichment Recognition List)
This GitHub issue is primarily to track the discussion and decisions about topic #2, inactive CNAs, however changing the criteria for approving new CNAs (#1) could influence (reduce) the future number of inactive CNAs.
New CNA approval is currently on hold. The expectation is for this hold to be short, this is a top priority for the Board.
~125 CNAs have not published a CVE Record in the past year, which according to current policy means the CNAs should be contacted and possibly removed. The policy is subject to revision once the Board reaches a decision.
What are the pros and cons of having a non-trivial propotion of CNAs being inactive?
- There is no real "carrying cost" to having inactive CNAs.
- There may be "dilution" or "inflation" effects.
- Organizations may benefit from being CNAs ("in name only") without conributing to the Program
- CNAs may use their authority to delay or block CVE ID assignments. There are no clear and ongoing examples of this behavior, and the "first-refusal" policy should prevent or limit it.