Require CVE ID in advisories, year portion of ID, grammar

[zmanion]

The current rules allow a CNA to not publish an advisory about a CVE ID they assigned, and also an advisory is not required to cite the relevant CVE ID(s).

[eslerm]

I am cautious about adding requirements which could become roadblocks to CNA communication.

However, given that there are some very low quality CNAs which are degrading the integrity of the CVE Program, I believe this is necessary.

Could 5.3.3.1 SHOULD NOT require registration or login also be changed to 5.3.3.1 MUST NOT require registration or login as well? Otherwise, I do not believe this change will have the intended effect.

In my personal opinion, this would help lower the noise that VulDB adds to the CVE Program.

eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ grep -rl "Permissions Required" | xargs grep -l "vuldb"|wc -l
1150
eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ grep -rl "Permissions Required" |wc -l
2032
eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ grep -rl "vuldb" |wc -l
1519
eslerm@aeon:~/code/eslerm/nvd-mirror/2023$ cd ../2024/
eslerm@aeon:~/code/eslerm/nvd-mirror/2024$ grep -rl "Permissions Required" | xargs grep -l "vuldb"|wc -l
1694
eslerm@aeon:~/code/eslerm/nvd-mirror/2024$ grep -rl "Permissions Required" |wc -l
2147
eslerm@aeon:~/code/eslerm/nvd-mirror/2024$ grep -rl "vuldb" |wc -l
2915

[zmanion]

@ElectricNroff raised a good point, there are valid reasons for a CNA to assign CVE IDs and publish CVE Records but not also publish an advisory. Examples of this include a CNA LR and a coordinator CNA.

CNAs MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records.

Maybe the distinction is that supplier CNAs MUST publish advisories? "Advisory" should be defined broadly to include nearly any documentation about the vulnerability (and probably the fix) such as change logs, tickets, issues, release notes.

Or maybe the distinction is slightly broader than "supplier," something about "first public disclosure?" This would cover e.g., a research or coordinator CNA. CNA-LRs could be exempted.

[zmanion]

A partial CNA-LR exemption already exists:

2.4.3 [CNA LRs] MAY limit effort to optimize service given resource constraints, for example, by not notifying Suppliers who are not CNAs (4.3.2) and by not publishing advisories or other information about vulnerabilities (4.5.2.1) for assigned CVE IDs.

[zmanion]

Could 5.3.3.1 SHOULD NOT require registration or login also be changed to 5.3.3.1 MUST NOT require registration or login as well? Otherwise, I do not believe this change will have the intended effect.

@eslerm could you open a separate issue for this? I think it's worth discussing but would prefer to do so independently of this PR.

[zmanion]

At least one example where the lack of CVE ID referenced in a vendor advisory caused unnecessary confusion and cost:

https://security-portal.versa-networks.com/emailbulletins/6735a300415abb89e9a8a9d3