Exception to problem type requirement #26
Description
Current rule:
5.1.7 MUST identify the type of Vulnerability. The CVE record SHOULD use the Common Weakness Enumeration (CWE™) to classify the type or cause of the Vulnerability. A CVE Record MAY contain multiple types or causes of the Vulnerability.
Waxing somewhat philosophical, knowing the type of the vulnerability is logically not necessary to assert (or believe) that a vulnerability exists and to at least start vulnerability management activities.
Two examples where it was valuable to assign CVE IDs without problemTypes:
https://www.cve.org/CVERecord?id=CVE-2024-9537
https://www.cve.org/CVERecord?id=CVE-2025-34158 (problemType was added after initial publication)
An example where a CVE ID has not been assigned, possibly due to the inability to determine problemType:
https://invisioncommunity.com/release-notes-v5/507-r41/
Options include:
- Broadly relaxing 5.1.7 from MUST to SHOULD. Discussion in the SPWG lead to the opinion that this is not the way.
- Add an exception to the rules so that a CVE Record MAY be published lacking problemType, but only in cases in which the information is unavailable. These cases may be rare, however two examples are cited above. problemType SHOULD be added to the Record as soon as possible after publication.
- A variant of 2, add support for a special "not available" problemType, similar to the NVD "NVD-CWE-noinfo" value. This might require a CVE Record Format schema update.
- Require first-party CNAs (usually but not limited to Supplier CNAs) to provide problemType. If a CNA is going to assign and publish for a vulnerability the CNA is technically familiar with (discovered, reported, fixed), then the CNA is able to provide a problemType.
- The exception (2.) could be granted only for non-first-party CNAs and require use of a special value (3.)