11

I found an heap overflow exploit for a vulnerability in git servers. This lead to lucrative operations on various bug bounty programs (GitHub already promised to put me in their top 10).

When it was corrected recently, the case of remote code execution wasn’t identified.
As result, many Linux distributions as well as mainline commercial products like Apple osx still ship affected versions.

So, I think it’s time to make a great publicity around the vulnerability and that a CVE shared across all can would be the best way to achieve this.

This would just take age if I need to contact them all.

Update :

For those seeking about the details, just wait my profile to appear on the main page of this site. I also won’t attempt anything as long as the issue isn’t fixed with the vendor.

Community
  • 1
user2284570
  • 1,402
  • 1
  • 14
  • 33
  • 4
    https://cve.mitre.org/cve/request_id.html is the formal documentation. Please be responsible with your disclosure, especially if you've found something as dangerous as you claim. Work with the vendors before releasing publically. – Ohnana Dec 11 '15 at 02:48
  • @Ohnana : I can’t talk with every vendors. I’m a student who is no longer on vacation *(next time is in february)*. I think it’s time to advertise *(as soon as the last bounty will be awarded to me)*. – user2284570 Dec 11 '15 at 02:52
  • MITRE is the top-most CNA. Talk to them, and see if they can help you. Unfortunately, disclosure done right takes time. CERT and other teams may be able to lighten your load. – Ohnana Dec 11 '15 at 02:53
  • @Ohnana : How can I talk to them ? I don’t even understant which [address I should e mail](https://nvd.nist.gov/contact.cfm) for that [one](https://nvd.nist.gov/contact.cfm). – user2284570 Dec 11 '15 at 02:55
  • https://cve.mitre.org/cve/cna.html#participating_cnas – Ohnana Dec 11 '15 at 02:56
  • @Ohnana : I don’t even understant which [address I should e mail](https://nvd.nist.gov/contact.cfm) for that [one](https://nvd.nist.gov/contact.cfm). – user2284570 Dec 11 '15 at 02:59
  • http://www.zerodayinitiative.com may help – Neil Smithline Dec 11 '15 at 04:03
  • @NeilSmithline they told they weren't intersted into that product. – user2284570 Dec 11 '15 at 04:04
  • 1
    As @Ohana mentioned, report the vulnerability to [CERT](https://forms.cert.org/VulReport/). It's not an email, it's an online form. They'll coordinate with the vendor for you, and get a CVE number assigned. – Xander Dec 11 '15 at 19:59
  • @Xander : Git isn’t part of any vendor, and the issue is [already fixed](https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305). It’s just a possible exploit case wasn’t identified making older version looking as inoffensive. – user2284570 Dec 11 '15 at 20:01
  • 1
    It isn't magical self creating software. It has maintainers, which are the same thing. – Xander Dec 11 '15 at 20:04
  • @Xander : The maintainers, are already aware of that case. They fixed the problem before they know about it, so their is nothing they can do. – user2284570 Dec 11 '15 at 20:05
  • Ok, so you don't need CERT to contact the maintainers for you then. Do you still have a question? – Xander Dec 11 '15 at 20:10
  • @Xander : I’d like to know who to mail for [that one](https://nvd.nist.gov/contact.cfm). – user2284570 Dec 11 '15 at 20:12
  • You don't. You fill out the CERT form I gave you a link to. – Xander Dec 11 '15 at 20:14
  • @Xander : the question doesn’t ask the exact process on how to create one. – user2284570 Dec 11 '15 at 21:56
  • @Xander : I didn’t got any replies from cert. even after telling them twice. – user2284570 Mar 05 '16 at 12:47

1 Answers1

4

As Ohnana also mentioned the way to request a formal CVE is through their intake form.

https://cve.mitre.org/cve/request_id.html

Details from a current snapshot of that website

Main Methods Contact one of the officially recognized CVE Numbering Authorities (CNAs), which will then include a CVE Identifier number in its initial public announcement about your new vulnerability.

Or, contact an emergency response team such as CERT/CC, etc., post the information to mailing lists such as Bugtraq, or provide the information to a vulnerability analysis team.

Alternative Method If you are unable to obtain a CVE Identifier number via the main methods above, you may request a CVE Identifier number directly from the CVE project. To reserve a CVE Identifier number before publicizing a new vulnerability, vulnerability researchers may contact cve-assign@mitre.org and we will provide you with our "CVE-ID Reservation Guidelines for Researchers" document. We will then work with you to assign a CVE Identifier number for the issue while you work through the process of publicly disclosing the vulnerability.

Please review the Researcher Responsibilities. https://cve.mitre.org/cve/cna.html#researcher_responsibilities

Adding a link to the CVE FAQ. https://cve.mitre.org/about/faqs.html

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • 1
    Once a ᴄᴠᴇ ɪᴅ is assigned and bug [fixed into master](https://bounty.github.com/researchers/ytrezq.html), how much time does it takes to get ᴄᴠᴇ details published ? – user2284570 Mar 05 '16 at 12:48
  • I'm wondering the same thing as @user2284570. Can you add the info to your answer please? – Aaron Esau Feb 28 '17 at 06:59
  • At this time it appears there are no timeline guarantees for any part of the CVE ID granting process. I think it's because there are multiple CNA's and/or it's an internal process metric that doesn't appear to be documented publically. – Trey Blalock Mar 01 '17 at 05:26