How are the tag records managed by the CVE Program?

[adulau]

There is a list of some tags described https://nvd.nist.gov/vuln/vulnerability-detail-pages and some more in VulnoGram.

• What is the current official source for vulnerability tags?
• How are namespaces managed? Is it possible to define and use our own namespace if needed?
• Is there a straightforward process to propose new tags?

[adulau]

The NVD tags have added to the MISP vulnerability taxonomy with a NVD predicate.

MISP/misp-taxonomies@9ac2eb3

[jayjacobs]

They are currently defined in the CVE JSON schema, around line 344 (in the cnaTags), the adpTags are just below it (and it looks like only "disputed" is allowed).

It is possible to toss whatever unstructured and undefined stuff people want with x_* tags.

Is there a straightforward process to propose new tags?

Perhaps the easiest is to just toss what you're thinking here, the QWG is moving to the RFD process, and you could also submit an RFD. Adding tags should be relatively low-lift, I would think. One of the challenges with existing tags is that a tag is either present or not, which makes it impossible to know if a tag definitely does not apply or if nobody cared to set it. For example, if a CVE does not have an "unsupported-when-assigned" tag, does that mean it was supported when assigned or that nobody bothered to look it up?