Merge branch 'russell/ctrt-edit-cve-id-request' into 'master'

CTRT edits to CVE IDE request docs

See merge request gitlab-org/gitlab!71251

doc/user/application_security/cve_id_request.md

@@ -5,65 +5,64 @@ group: Threat Insights
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
 ---
 
-# CVE ID Requests **(FREE SAAS)**
+# CVE ID request **(FREE SAAS)**
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41203) in GitLab 13.4, only for public projects on GitLab.com.
 
-As part of [our role as a CVE Numbering Authority](https://about.gitlab.com/security/cve/)
-([CNA](https://cve.mitre.org/cve/cna.html)), you may request
-[CVE](https://cve.mitre.org/index.html) identifiers from GitLab to track
-vulnerabilities found within your project.
+A [CVE](https://cve.mitre.org/index.html) identifier is assigned to a publicly-disclosed software
+vulnerability. GitLab is a [CVE Numbering Authority](https://about.gitlab.com/security/cve/)
+([CNA](https://cve.mitre.org/cve/cna.html)). For any public project you can request
+a CVE identifier (ID).
 
-## Overview
+Assigning a CVE ID to a vulnerability in your project helps your users stay secure and informed. For
+example, [dependency scanning tools](../application_security/dependency_scanning/index.md) can
+detect when vulnerable versions of your project are used as a dependency.
 
-CVE identifiers track specific vulnerabilities within projects. Having a CVE assigned to a
-vulnerability in your project helps your users stay secure and informed. For example,
-[dependency scanning tools](../application_security/dependency_scanning/index.md)
-can detect when vulnerable versions of your project are used as a dependency.
+A common vulnerability workflow is:
 
-## Conditions
+1. Request a CVE for a vulnerability.
+1. Reference the assigned CVE identifier in release notes.
+1. Publish the vulnerability's details after the fix is released.
 
-If the following conditions are met, a **Request CVE ID** button appears in your issue sidebar:
+## Prerequisites
 
-- The project is hosted in GitLab.com.
+To [submit a CVE ID Request](#submit-a-cve-id-request) the following prerequisites must be met:
+
+- The project is hosted on GitLab.com.
 - The project is public.
 - You are a maintainer of the project.
-- The issue is [confidential](../project/issues/confidential_issues.md).
-
-## Submitting a CVE ID Request
-
-Clicking the **Request CVE ID** button in the issue sidebar takes you to the new issue page for
-the [GitLab CVE project](https://gitlab.com/gitlab-org/cves).
+- The vulnerability's issue is [confidential](../project/issues/confidential_issues.md).
 
-![CVE ID request button](img/cve_id_request_button.png)
+## Submit a CVE ID request
 
-Creating the [confidential issue](../project/issues/confidential_issues.md) starts the CVE request process.
+To submit a CVE ID request:
 
-![New CVE ID request issue](img/new_cve_request_issue.png)
+1. Go to the vulnerability's issue and select **Create CVE ID Request**. The new issue page of
+   the [GitLab CVE project](https://gitlab.com/gitlab-org/cves) opens.
 
-You are required to fill in the issue description, which includes:
+   ![CVE ID request button](img/cve_id_request_button.png)
 
-- A description of the vulnerability
-- The project's vendor and name
-- Impacted versions
-- Fixed versions
-- The vulnerability type (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
-- A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
+1. In the **Title** box, enter a brief description of the vulnerability.
 
-## CVE Assignment
+1. In the **Description** box, enter the following details:
 
-GitLab triages your submitted CVE ID request and communicates with you throughout the CVE validation
-and assignment process.
+   - A detailed description of the vulnerability
+   - The project's vendor and name
+   - Impacted versions
+   - Fixed versions
+   - The vulnerability class (a [CWE](https://cwe.mitre.org/data/index.html) identifier)
+   - A [CVSS v3 vector](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
 
-![CVE ID request communication](img/cve_request_communication.png)
+   ![New CVE ID request issue](img/new_cve_request_issue.png)
 
-Once a CVE identifier is assigned, you may use and reference it as you see fit.
+GitLab updates your CVE ID request issue when:
 
-Details of the vulnerability submitted in the CVE ID request are published according to your
-schedule. It's common to request a CVE for an unpatched vulnerability, reference the assigned CVE
-identifier in release notes, and later publish the vulnerability's details after the fix is
-released.
+- Your submission is assigned a CVE.
+- Your CVE is published.
+- MITRE is notified that your CVE is published.
+- MITRE has added your CVE in the NVD feed.
 
-Separate communications notify you when different stages of the publication process are complete.
+## CVE assignment
 
-![CVE ID request publication communication](img/cve_request_communication_publication.png)
+After a CVE identifier is assigned, you can reference it as required. Details of the vulnerability
+submitted in the CVE ID request are published according to your schedule.