Separating vulnerability determination from first refusal #28
Description
These are different types of disputes that should be handled somewhat differently:
- vulnerability determination
- whether to assign and which CNA assigns
Vulnerabiity determination is independent of first refusal.
The current rule routes both types to the Dispute Resolution process:
4.2.1.3 For Vulnerabilities that are not yet Publicly Disclosed, if the CNA with the most appropriate scope decides not to assign, the party requesting assignment MUST follow the dispute resolution guidance in 4.6.
Proposed change: Continue to route vulnerability determination (1.) disputes through the Disupte process. If a CNA with most appropriate scope does not dispute vulnerability determination (2.), then another CNA with appropriate scope can assign without invoking the Dispute process.
4.2.1.3 For Vulnerabilities that are not yet Publicly Disclosed, if the CNA with the most appropriate scope (possibly changing to "the Supplier CNA or their agent"):
- determines that no Vulnerability exists, then the CNA and party requesting assignment MUST follow the dispute resolution guidance in 4.6.
- determines that a Vulnerability exists but chooses not to assign, then the party requesting assignment, if they are a CNA with appropriate scope, MAY assign.
Important note, review the Dispute Policy for any conflicts related to changes from this issue.
Also this issue intersects with #27 since "appropriate scope" is involved. Most likely 4.2.1.2 and 4.2.1.3 will need to be modified in coordination.