|
| 1 | +# Optional discussion forum advertisement |
| 2 | + |
| 3 | +| Field | Value | |
| 4 | +|:-----------------|:-------| |
| 5 | +| RFD Submitter | Jon Moroney | |
| 6 | +| RFD Pull Request | [RFD #0000](https://github.com/CVEProject/cve-schema/pull/1234) | |
| 7 | + |
| 8 | +## Summary |
| 9 | +[summary]: #summary |
| 10 | + |
| 11 | +Introduce an optional field to advertise a public comment forum. The goal is to ensure that record readers know where to go to inquire about or dispute record details. Ensuring there's a standard format allows tools to advertise feedback points which in turn allows more CNAs to take feedback and to iteritvly improve the quality of their record sets. |
| 12 | + |
| 13 | +## Problem Statement |
| 14 | +[problem-statement]: #problem-statement |
| 15 | + |
| 16 | +By the nature of multitude of possible ways an advisory disclosure may conclude, CVE records are often incomplete or inaccurate at time of publication. As details and context come to light individuals will notice the deficiencies and ideally the individual reports and resolves their observation with the record owner. More eyeballs tend to find more bugs and the community as a whole benefits from an advisory corpus which improves over time. |
| 17 | + |
| 18 | +## Proposed Solution |
| 19 | +[proposed-solution]: #proposed-solution |
| 20 | + |
| 21 | +This RFD proposes one new optional CVE property of the form |
| 22 | + |
| 23 | +``` |
| 24 | +"discussionForum": { |
| 25 | + "description": "The canonical forum for discussing CVE details.", |
| 26 | + "$ref": "#/definitions/uriType" |
| 27 | + }, |
| 28 | +``` |
| 29 | + |
| 30 | +The details are not set in stone, but the idea is to provide a URL which points a consumer of a CVE in the right direction should they have issue with the record. Tooling could even integrate this into how records are presented. Ideally this is public both for the benefit of community knowledge and to reduce duplicate work on the part of the humans tasked to operate the forum. |
| 31 | + |
| 32 | +## Examples |
| 33 | +[examples]: #examples |
| 34 | + |
| 35 | +Both Github and CISA are already operating feedback forums. |
| 36 | + |
| 37 | +https://github.com/github/advisory-database/ |
| 38 | +and |
| 39 | +https://github.com/cisagov/vulnrichment |
| 40 | + |
| 41 | +## Impact Assessment |
| 42 | +[impact-assessment]: #impact-assessment |
| 43 | + |
| 44 | +Low. This field can be safely ignored. |
| 45 | + |
| 46 | +## Compatibility and Migration |
| 47 | +[compatibility-and-migration]: #compatibility-and-migration |
| 48 | + |
| 49 | +It adds one optional property |
| 50 | + |
| 51 | +## Success Metrics |
| 52 | +[success-metrics]: #success-metrics |
| 53 | + |
| 54 | +Success would be CNAs/ADPs other than Github and CISA standing up feedback forums and welcoming feedback. |
| 55 | + |
| 56 | +## Supporting Data or Research |
| 57 | +[supporting-data-or-research]: #supporting-data-or-research |
| 58 | + |
| 59 | +Seems to be working well for Github and CISA. |
| 60 | + |
| 61 | +## Related Issues or Proposals |
| 62 | +[related-issues-or-proposals]: #related-issues-or-proposals |
| 63 | + |
| 64 | +None |
| 65 | + |
| 66 | +## Recommended Priority |
| 67 | +[recommended-priority]: #recommended-priority |
| 68 | + |
| 69 | +Medium |
| 70 | + |
| 71 | +## Unresolved Questions |
| 72 | +[unresolved-questions]: #unresolved-questions |
| 73 | + |
| 74 | +How to handle the case where an adp and cna both publish unique discussion forums. |
| 75 | +* Let both/all exist? |
| 76 | +* First come first serve and reject others? |
| 77 | +* Have some process to give up claim/transfer with this? |
| 78 | +* Something else? |
| 79 | + |
| 80 | +## Future Possibilities |
| 81 | +[future-possibilities]: #future-possibilities |
| 82 | + |
| 83 | +I'd love to see a CNA use this field dynamically such that the record for CVE-808-12345 would point to the individual topic for that CVE record. With this approach user would be welcomed to an ongoing conversation rathar than needing to search. |
0 commit comments