@wdormann VMWare is a CNA in the MITRE CNA program and the CNA v4.0 rules require one public reference for CVEs e.g. "5.1.10 MUST contain at least one public reference (see 5.3)." and "5.3.3.1 SHOULD NOT require registration or login, and" ... guess it's not a "MUST NOT" :/

@codonell @wdormann It’s a pity they used “should not” for that. “[…] the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.” I guess they didn’t think about the implications hard enough.

@schrotthaufen @wdormann @msw Matt, Any idea why we used "SHOULD NOT" here for the public reference portion? In the interest of cybersecurity and entire ecosystem I would like to have seen 5.3.3.1 be "MUST NOT"