Add a Change History log to CVE records #30
Description
Proposed New Idea/Feature (required)
CVE.org currently does not show a change history when viewing individual vulnerabilities. The general public would benefit from being able to see when changes are made to the CVE record, such as when a CVSS score is determined or updated, or when CPEs are added. The date and time of change could add important context to the update. Oftentimes, information in the CVE is changed without notice and users are unable to determine when it occurred and if they're relying on outdated information since the time they last accessed the CVE record.
Additional Notes (Optional)
Recently on social media, a vulnerability reporter disputed the CVSS vector of a CVE as assessed by CISA-ADP: https://infosec.exchange/@harrysintonen/113656575021581029 . The CVSSv3.1 score was subsequently updated twice in the span of 2 hours. Someone viewing https://www.cve.org/CVERecord?id=CVE-2024-11053 would only see CISA's latest score, while another viewing https://nvd.nist.gov/vuln/detail/CVE-2024-11053#VulnChangeHistorySection would be able to tell that the original score was changed twice from a 9.1 critical AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N to a 5.9 medium 3.4 low AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N, inferring that the ADP double checked their own analysis and arrived at a different conclusion.