Better defining "most appropriate scope" and "appropriate scope"

[zmanion]

This is a complex issue that may intersect with another pending issue about vulnerability determination and first refusal (#28).

For this initial issue, I'm going to jump to a proposal, but will add more context in subsequent comments.

Problem: Generally unclear what "(most) appropriate scope" means, especially in certain cases, including the combination of (Publicly Disclosed) and (Supplier is not a CNA).

Jumping ahead to a proposed rules change, current:

4.2.1.2 For Publicly Disclosed Vulnerabilities, if the CNA with the most appropriate scope:

1. preemptively documents that it will not assign, or
2. responds within 72 hours that it will not assign, or
3. does not respond within 72 hours,

then an appropriate Root MUST make a Vulnerability determination. If the Root determines that one or more Vulnerabilities exist, the Root MUST direct a CNA-LR or another CNA with appropriate scope to assign as quickly as possible and no later than 72 hours after becoming aware of the first refusal. Ownership of the CVE Record MAY be transferred.

New:

4.2.1.2 For Publicly Disclosed Vulnerabilities, if the Supplier CNA or their agent:
...

4.2.1.3 For Vulnerabilities that are not yet Publicly Disclosed, if the Supplier CNA or their agent:

[darakian]

Could it make sense to start requiring/strongly requesting CNAs start registering some concrete scope? Somewhat like how the python software foundation
https://www.cve.org/PartnerInformation/ListofPartners/partner/PSF
or the CPAN security group
https://www.cve.org/PartnerInformation/ListofPartners/partner/CPANSec
do

This could be urls like the examples, CPE stubs, purls, whatever else, but something that can be inspected and tested against rather than the prose that most CNAs provide.

[zmanion]

Related to RWG discussion on 2026-01-13, consider a change to the flow of 4.2.1.2, in summary:

1. Vulnerability is Publicly Disclosed
2. CNA with most appropriate scope (possibly being revised to "Supplier CNA") does not act
3. (Change here) Another CNA with appropriate scope, for example, a research or coordiantor CNA with broad "observed" scope MAY act, with some coordination/consideration for collision avoidance
4. (The current path) Root/CNA-LR MUST act

This preserves the "last resort" capability but explicitly adds another option.

Another variant of this ordering. An open question is whether this type of ordering can apply to "appropriate scope" universally or only within the context of 4.2.1.2 (which is the path for Publicly Disclosed vulnerabilities):

1. Supplier CNA
2. Resarcher CNA with first-hand involvement (e.g., discovered and reported the vulnerability)
3. Coordinator CNA involved in CVD (e.g., coordinating with non-CNA Suppliers and Researchers)
4. Researcher or Coordinator CNAs with broad ("observed") scope, with minimal but sufficient collision avoidance
5. Root/CNA-LR, the true "last resort"

[zmanion]

Related document about assignment efficiency: https://docs.google.com/document/d/1vV2pooLkUIRSSMwSp5Shjq5TDCpAzxAkVFnQpJrXxu0