RFD for public discussion forum #462
Conversation
darakian
changed the title
|
Why add this as an optional field over adding a reference tag? |
|
Could this be supported as a reference tag type without a bespoke property? {
"references": [
{
"url": "https://example.com/discussion/cve-0000-0000",
"tags": ["discussion-forum"]
}
]
} |
Full transparency; my ignorance of tags and unconscious biases about data structures is why.
Ya it certainly could. I have no real preference, but switching to a tag would beg the question about forum uniqueness in a more direct way than I had considered in the RFD text. I don't think we would want a single CNA to publish two unique urls with a |
|
I've gone ahead and updated the PR to reflect the tag approach. Let me know if there's anything missing and still curious what you all think about the uniqueness constraint. @ElectricNroff also curious to get your thoughts. |
I've been struggling to land one way or the other on the uniqueness point. At face-value it seems perfectly reasonable to require it be unique in order to funnel people looking for a forum to provide feedback or inquire about additional information to a single place to prevent repeated questions or fragmented conclusions. But, particularly with the role that ADP's play, should it be able to be provided by multiple parties who are responsible for the information that they are producing? For example, some researcher requests a CVE which is then published by MITRE. The record is enriched with additional information by CISA-ADP. Later, some consumer of this record has a question about some information that CISA provided that's not clearly conveyed in the CNA container. Wouldn't it be worthwhile for each party involved to be able to provide an avenue for open discussion? Limiting that to any one of the entities providing information risks being unable to actually reach the entity making the claim that the consumer would like to discuss. This of course creates fragmentation in the information available from each source, and puts the onus on the consumer to check multiple sources in order to collect the state of information about the CVE. Ideally, any new information would be appended to the record itself, but that's not always the value of these types of discussions. There's also a lingering concern I have that as time moves on and any of these forums become defunct we wouldn't want to remove them if replacing/updating them. They may be worth keeping to reference for historical purposes, even as they become unavailable. Although I don't think they'd need to keep the label in order to do so, so this is probably not a meaningful concern. Although I think either decision would be very easy to make a correction from if we regretted it. If we require it to be unique, we can just remove that restriction and not impact records meaningfully. If we allow multiple and want to restrict, we could just drop the tag from every reference except the latest one from the publishing CNA, which I don't think would be particularly meaningful of a change to the data in the record itself. I think I'd be fine to leave it to a coin toss. |
|
Maybe it makes sense to not bother trying to resolve the uniqueness question, to observe how the tag gets used in production and to adapt based on what we see. It lets us avoid rabbit holing and its just less work up front. It could be the case that no one uses the tag at all in which case none of that discussion/work would matter and if it does become confusing we'll at least have specific issues to address. |
3 participants
This PR introduces an RFD for a new CVE property to make clear where a reader should go inquire about the CVE in question. An assumption is that the location should be open, technology agnostic, discussion forum.
Rendered RFD