Inactive CNA discussion

[zmanion]

The Board and Program have recently been discussing inactive CNAs. There are perhaps three interwoven topics:

1. Criteria for approving new CNAs
2. Handling inactive CNAs (see the current CVE Program Policy and Procedure for Inactive CNAs)
3. CVE Record information quality and completeness (related: the CNA Enrichment Recognition List)

This GitHub issue is primarily to track the discussion and decisions about ​topic #​2, inactive CNAs, however changing the criteria for approving new CNAs (#​1) could influence (reduce) the future number of inactive CNAs.

New CNA approval is currently on hold. The expectation is for this hold to be short, this is a top priority for the Board.

~125 CNAs have not published a CVE Record in the past year, which according to current policy means the CNAs should be contacted and possibly removed. The policy is subject to revision once the Board reaches a decision.

What are the pros and cons of having a non-trivial propotion of CNAs being inactive?

• There is no real "carrying cost" to having inactive CNAs.
• There may be "dilution" or "inflation" effects.
• Organizations may benefit from being CNAs ("in name only") without conributing to the Program
• CNAs may use their authority to delay or block CVE ID assignments. There are no clear and ongoing examples of this behavior, and the "first-refusal" policy should prevent or limit it.