"CNA shopping" mitigation

[zmanion]

Problem: A requester (R) requests assignment from CNA-A, doesn't get an assignment within some timeframe, so R asks CNA-B. There are now possibly two parallel assignment requests pending and the CNAs involved are not aware of each other's involvement. A variant: R requests assignment from CNA-A and the request is declined, so R makes a new serial request of CNA-B.

The term "CNA shopping" is not meant to be pejorative or imply malicious intent. "Duplicate or repeated assignment requests" is a more bland and less loaded term.

General proposal: CNAs who broadly accept assignment requests, primarily third-party CNAs like LRs, coordinator, and researcher CNAs, MUST take some minimal but meaningful action to identify and resolve "shopping."

One concern is that such requirements would place an undue burden on this class of CNA. Another concern: Vague rules are difficult to interpret and enforce.

Proposed new and modified rules:

N.0 If a CNA, including CNA-LRs, accepts external CVE ID assignment requests, the CNA MUST take reasonable steps to detect and mitigate the effects of duplicate or repeated requests made to different CNAs ("CNA shopping").

N.0.1 If a CNA becomes aware of duplicate open assignment requests, the CNA MUST decline to assign until all previous requests are resolved or MUST coordinate with other involved CNAs to resolve the open requests.

N.0.2 If a CNA becomes aware of previous assignment requests that did not result in assignment, the CNA SHOULD determine the resolution of any previous requests and consider the resolutions as part of the CNA's assignment decision.

N.0.3 A CNA MAY implement "reasonable steps to detect" within their assignment request processes, for example, by asking requesters

"Have you previously requested CVE ID assignment from another CNA? If so, what was the result of those requests and are any such requests still pending?"

Or by stating a policy that

"Any pending CVE ID assignment requests with other CNAs must be resolved before we will accept a new assignment request."

[zmanion]

As a current example, the VulnCheck vulnerability report form includes this as a True/False question:

I have previously requested one or more CVEs from MITRE related to this finding but have not received a response.
Check this if you have previously contacted MITRE about this vulnerability but haven't received a response.

[patrickmgarrity]

Thank you for putting together this proposal.

We do have concerns with how the proposed requirements, especially N.0.1, would work in practice.

A common situation we see is that security researchers submit CVE assignment requests to MITRE and receive no response for days, weeks, months or longer. After waiting without acknowledgment or progress, those researchers then come to us for help. At that point, there may technically be an earlier request, but there is no response or engagement from MITRE.
Under N.0.1, CNAs like us would be required to decline assignment or coordinate resolution until the earlier request is resolved.

In practice Mitre has requested for VulnCheck to make a request to the researcher to email MITRE to revoke the request which we were told was sufficient steps from Mitre. This can create significant friction for researchers and delays assignment even when a responsive CNA is ready and able to proceed.

The request we’ve been making to researchers in this unfortunate situation is:
“If you are interested in working with VulnCheck on this request, please follow up on the original CVE request tickets to MITRE (or create a new ticket referencing the original ticket #s) notifying them of your desire to withdraw as you have decided to go with another CNA.”

From our perspective, this is not primarily a CNA shopping problem. It is a program accountability issue. If CNAs are required to pause or decline assignments due to prior requests, then the program also needs to ensure that CNAs respond to assignment requests in a reasonable and predictable timeframe including CNA-LRs.

To be clear, we have not experienced this issue with any other CNA other than MITRE CNA-LR. The problem appears limited to cases where MITRE does not respond at all to real security researchers, not situations where a request was actively reviewed or declined.

We support the goal of reducing duplicate or parallel assignment requests, but N.0.1 as written risks shifting the impact of non-responsiveness CNAs onto researchers and responsive CNAs, while rewarding complacency. That outcome discourages disclosure, slows down the assignment process, and turns security researchers from participating in the CVE Program.

I’ve reported several instances to Mitre as well as Alec Summers and have received acknowledgement but no information on what if any steps are being made to improve the process, while we still see requests being made to VulnCheck due to Mitre being unresponsive on a regular basis.

[JLLeitschuh]

Actually getting CVEs assigned is hard enough as it is, for the researchers who are still willing to play the game, don't make it more difficult for us.

Personally, I literally have an email group in my Gmail called "OSS CNA" that includes VulnCheck, FluidAttacks, Snyk, and RedHat. I send one email requesting a CVE to all of them with a line stating "whoever responds first can have this". Whoever responds to the email thread can have it. Frequently, VulnCheck has been the most receptive, with RedHat in second.

As I commented about on LinkedIn, it seems that Snyk's CNA isn't that active these days:

https://www.linkedin.com/posts/jonathan-leitschuh_vulnerability-disclosure-snyk-activity-7356801841529012224-9q2E

[kernelsmith]

Thank you for putting together this proposal.

We do have concerns with how the proposed requirements, especially N.0.1, would work in practice.

A common situation we see is that security researchers submit CVE assignment requests to MITRE and receive no response for days, weeks, months or longer. After waiting without acknowledgment or progress, those researchers then come to us for help. At that point, there may technically be an earlier request, but there is no response or engagement from MITRE. Under N.0.1, CNAs like us would be required to decline assignment or coordinate resolution until the earlier request is resolved.
...
I’ve reported several instances to Mitre as well as Alec Summers and have received acknowledgement but no information on what if any steps are being made to improve the process, while we still see requests being made to VulnCheck due to Mitre being unresponsive on a regular basis.

Well said