Validate and warn if datePublic is in the future #118
Comments
|
Restating: datePublic should never be later than datePublished, as publishing in CVE makes the vulnerability public. |
|
Proposal: Services checks datePublic if set, if in future, return error and do not publish CVE Record. |
|
This was actually already addressed in CVE Services: CVEProject/cve-services#1097 . Closing! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Discussed on the 2023-07-11 AWG call, datePublic is an optional field set by the CNA. It seems that at least once, a CNA thought that datePublic controlled when the CVE record would be published. The CVE record is published the moment the CNA submits the record content to the services.
We should review and if necessary improve the documentation for datePublic.
Should the services check datePublic, and if it is set in the future, refuse to accept the submission and return an error message?
The text was updated successfully, but these errors were encountered: