require CNAs to publish advisories that reference CVE IDs

Signed-off-by: Art Manion <zmanion@protonmail.com>

CNA_Rules.md

@@ -2,9 +2,9 @@
 
 | Status | Final |
 | ---: | :--- |
-| Version | 4.0.0 |
-| Approved | 2024-04-25 |
-| Effective | 2024-05-08 |
+| Version | 4.0.1 |
+| Approved | 2025-mm-dd |
+| Effective | 2025-mm-dd |
 
 ## Table of Contents
 
@@ -486,9 +486,9 @@ This section specifies actions related to publishing and managing CVE Records.
 
 4.5.2 Publishing Vulnerability Information
 
-4.5.2.1 CNA SHOULD publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records. Such information SHOULD meet the public references requirements in [5.3](#53-public-references) and MAY be used as a public reference (see 5.3.1.1).
+4.5.2.1 CNA MUST publish Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records. Such information SHOULD meet the public references requirements in [5.3](#53-public-references) and MAY be used as a public reference (see 5.3.1.1).
 
-4.5.2.2 Supplier CNAs MUST have at least one distribution point, such as a web site, where the CNA publishes Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records. This Vulnerability information SHOULD reference appropriate CVE IDs.
+4.5.2.2 Supplier CNAs MUST have at least one distribution point, such as a web site, where the CNA publishes Vulnerability advisories or other information about Vulnerabilities for which the CNA has assigned CVE IDs and published CVE Records. This Vulnerability information MUST reference appropriate CVE IDs.
 
 4.5.2.3 The Vulnerability information described in 4.5.2.1 MUST generally support and MUST NOT contradict information published by the CNA in corresponding CVE Records.