Adds documentation for CVE ID Request button

doc/user/application_security/cve_id_request.md

+---
+type: tutorial
+stage: Secure
+group: Vulnerability Research
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+---
+
+# CVE ID Requests
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
+
+As part of [GitLab's role as a CVE Numbering Authority](https://about.gitlab.com/security/cve)
+([CNA](https://cve.mitre.org/cve/cna.html)), you may request
+[CVE](https://cve.mitre.org/index.html) identifiers from GitLab to track
+vulnerabilities found within your project.
+
+## Overview
+
+CVE identifiers track specific vulnerabilities within projects. Having a CVE assigned to a
+vulnerability in your project helps your users stay secure and informed. For example,
+[dependency scanning tools](../application_security/dependency_scanning/index.md)
+can detect when vulnerable versions of your project are used as a dependency.
+
+## Conditions
+
+If the following conditions are met, a **Request CVE ID** button appears in your issue sidebar:
+
+- The project is hosted in GitLab.com.
+- The project is public.
+- You are a maintainer of the project.
+- The issue is confidential.
+
+## Submitting a CVE ID Request
+
+Clicking the **Request CVE ID** button in the issue sidebar takes you to the new issue page for
+[GitLab's CVE project](https://gitlab.com/gitlab-org/cves).
+
+![CVE ID request button](img/cve_id_request_button.png)
+
+Creating the confidential issue starts the CVE request process.
+
+![New CVE ID request issue](img/new_cve_request_issue.png)
+
+You are required to fill in the issue description, which includes:
+
+- A description of the vulnerability
+- The project's vendor and name
+- Impacted versions
+- Fixed versions
+- The vulnerability type (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
+- A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
+
+## CVE Assignment
+
+GitLab triages your submitted CVE ID request and communicates with you throughout the CVE validation
+and assignment process.
+
+![CVE ID request communication](img/cve_request_communication.png)
+
+Once a CVE identifier is assigned, you may use and reference it as you see fit.
+
+Details of the vulnerability submitted in the CVE ID request are published according to your
+schedule. It's common to request a CVE for an unpatched vulnerability, reference the assigned CVE
+identifier in release notes, and later publish the vulnerability's details after the fix is
+released.
+
+Separate communications notify you when different stages of the publication process are complete.
+
+![CVE ID request publication communication](img/cve_request_communication_publication.png)

doc/user/application_security/index.md

@@ -246,7 +246,9 @@ You can create an issue for a vulnerability by visiting the vulnerability's page
 This creates a [confidential issue](../project/issues/confidential_issues.md) in the project the
 vulnerability came from, and pre-populates it with some useful information taken from the vulnerability
 report. Once the issue is created, you are redirected to it so you can edit, assign, or comment on
-it.
+it. CVE identifiers can be requested from GitLab by clicking the
+[_CVE ID Request_ button](cve_id_request.md) that is enabled for maintainers of
+public projects on GitLab.com
 
 Upon returning to the group security dashboard, the vulnerability now has an associated issue next
 to the name.

doc/user/permissions.md

@@ -122,6 +122,7 @@ The following table depicts the various user permission levels in a project.
 | Manage Feature Flags **(PREMIUM)**                |         |            | ✓           | ✓        | ✓      |
 | Create/edit/delete metrics dashboard annotations  |         |            | ✓           | ✓        | ✓      |
 | Run CI/CD pipeline against a protected branch     |         |            | ✓ (*5*)     | ✓        | ✓      |
+| Request a CVE ID **(FREE ONLY)**                  |         |            |             | ✓        | ✓      |
 | Use environment terminals                         |         |            |             | ✓        | ✓      |
 | Run Web IDE's Interactive Web Terminals **(ULTIMATE ONLY)** |     |      |             | ✓        | ✓      |
 | Add new team members                              |         |            |             | ✓        | ✓      |

doc/user/project/index.md

@@ -37,6 +37,8 @@ When you create a project in GitLab, you'll have access to a large number of
   - [Signing commits](gpg_signed_commits/index.md): use GPG to sign your commits
   - [Deploy tokens](deploy_tokens/index.md): Manage project-based deploy tokens that allow permanent access to the repository and Container Registry.
 - [Web IDE](web_ide/index.md)
+- [CVE ID Requests](../application_security/cve_id_request.md): Request a CVE identifier to track a
+  vulnerability in your project.
 
 **Issues and merge requests:**
 

doc/user/project/settings/index.md

@@ -100,6 +100,16 @@ Some features depend on others:
 - Metrics dashboard access requires reading both project environments and deployments.
   Users with access to the metrics dashboard can also access environments and deployments.
 
+#### Disabling the CVE ID request button
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
+
+In applicable environments, a [**Create CVE ID Request** button](../../application_security/cve_id_request.md)
+is present in the issue sidebar. The button may be disabled on a per-project basis by toggling the
+setting **Enable CVE ID requests in the issue sidebar**.
+
+![CVE ID Request toggle](img/cve_id_request_toggle.png)
+
 #### Disabling email notifications
 
 Project owners can disable all [email notifications](../../profile/notifications.md#gitlab-notification-emails)