Add guidance about year portion of the ID

[zmanion]

Add guidance to the assignment rules about the year portion of the ID.

Confirm that the year part of a CVE ID SHOULD (or MUST?) be the calendar year in which the vulnerability was first publicly disclosed or develop correct guidance.

[zmanion]

Somewhat related, .containers.cna.datePublished is optional. The year portion of datePublic should match the year portion of the CVE ID. Also maybe datePublic belongs in .cveMetadata since there should be public evidence to support this date (IOW, it is true for everyone, not just the container owner).

[eslerm]

This would be helpful. My impression was that the year specified when the issue was first disclosed, not when it was first publicly disclosed.

[zmanion]

I'm mildly in favor of using the year of public disclosure, otherwise only the CNA (and possibly a few others involved in a private disclosure) would know or care about the year of pre-public disclosure. CVE is about publicly disclosed vulnerabilities, so the date (year) should be based on that.

Also the proposed change is a recommendation not a requirement:

4.2.21 CNAs SHOULD assign the year portion of a CVE ID based on the calendar year in which the vulnerability was first publicly disclosed.

[todb]

Since adding or removing SHOULD and MAY directives aren't breaking changes to the rules, I'm super on board with this clarification.