CVE assignee username visible on transfered CVE by owning CNA #1479
Description
Prerequisites
- Put an X between the brackets on this line if you have done all of the following:
- Checked the FAQs on the message board for common solutions: (TBD)
- Checked that your issue isn't already filed.
Description
When a CNA transfer their ownership of a CVE ID to another CNA, that CNA can see who the original assigner of the CVE ID was. For any other CVE IDs owned by other CNA, that field is not visible to any other CNA.
Steps to Reproduce
Transfer a CVE from one CNA to another using PUT "https://cveawg.mitre.org/api/cve-id/CVE-NNNN-ZZZZZ/?org=<NEW_CNA>.
Expected behavior:
The CVE, now owned by NEW_CNA, can be viewed by the CNA and the identity of the original assigner is visible.
Actual behavior:
We don't really define whether user identities are secret, but if they should not be disclosed outside of a CNA's scope, then the assignee username of a transferred CVE ID should be redacted.
Reproduces how often:
100%
Versions
all version, latest being 2.5.4