How can I report a new vulnerability to cve.mitre.org such that they assign a CVE ID to it?

Question

This is a hypothetical question. The answers would help me to learn how CVE issues CVE IDs to vulnerabilities.

Let us assume that I have followed the principles of responsible disclosure, reported the vulnerability I found to the vendor and the vendor has not fixed it even after several months.

How can I report this vulnerability to cve.mitre.org so that they publish the details of the vulnerability after assigning a CVE-ID to it?

I have seen independent hobbyist security researchers people posting vulnerabilities on Bugtraq and Full Disclosure mailing list and those vulnerabilities are automatically included with CVE-IDs in cve.mitre.org. I want to know more about how this works. I don't think each one of them emails a CNA to request a CVD-ID number.

Answer 1

[Note: see the answer by @tim, which is a more thorough anwser than my quick google.]

MITRE has official documentation that answers your question right on cve.mitre.org, specifically have a look at https://cve.mitre.org/cve/identifiers/index.html which gives a thorough description of CVE Identifiers, how they are created, and how to request one.

The home page https://cve.mitre.org also has the following right in the main column:

CVE Numbering Authorities (CNAs)

CNAs are the main method for requesting a CVE-ID number.

CNAs are major OS vendors, security researchers, and research organizations that assign CVE-IDs to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE-ID numbers in the first public disclosure of the vulnerabilities.

The following 22 organizations currently participate as CNAs: Adobe; Apple; Attachmate; BlackBerry; CERT/CC; Cisco; Debian GNU/Linux; EMC; FreeBSD; Google; HP; IBM; ICS-CERT; JPCERT/CC; Microsoft; MITRE (primary CNA); Mozilla; Oracle; Red Hat; Silicon Graphics; Symantec; and Ubuntu Linux.

A message about turnaround times for requesting CVE-ID numbers from MITRE is posted above. For more information about requesting CVE-ID numbers from CNAs, visit the CVE Numbering Authorities page.

If you're not satisfied with the official answer, then please specify what you know, and what you're missing in your question.

Answer 2

Theoretically: Contact a CNA or Mailing List

As others have stated, you would contact a CNA. If you can't find one in the list of software vendors, you would contact MITRE directly.

You could also post it to a mailing list instead of contacting a CNA. MITRE mentions bugtraq - where you would just publish your vulnerability (not a request for a CVE), and ideally get a CVE by MITRE - , but you could also use oss-security, which is mainly used for CVE requests (you can see the rate of assignments from cve-assign @ MITRE, so you can consider if it's actually worth it).

If you request CVEs via multiple methods, you should mention any previous requests - successful or not - to avoid duplicate assignments.

These possibilities are also described by MITRE on their Request a CVE info page:

Contact one of the officially recognized CVE Numbering Authorities (CNAs) [... o]r, contact an emergency response team such as CERT/CC, etc., post the information to mailing lists such as Bugtraq, or provide the information to a vulnerability analysis team [...] If you are unable to obtain a CVE Identifier number via the main methods above, you may request a CVE Identifier number directly from the CVE project.

Practically: MITRE is having trouble assigning CVEs

The thing is that MITRE is having trouble actually assigning CVEs because of a rise in discovered vulnerabilities, so it requires a bit of luck to actually get one from them.

There have been complains for a while, and MITRE has a note on their website calling it a "delay":

The recent explosion of Internet-enabled devices—known as the Internet of Things—as well as the propagation of software-based functionality in systems has led to a huge increase in the number of CVE requests we have been receiving on a daily basis. We did not anticipate this rate of growth, and, as a result, were not as prepared for the latest surge in requests over the past 12 months as we had hoped. The result has been some of the delay in CVE assignments that the software security community has recently witnessed. We recognize the inconvenience that has resulted, and are working hard to come up with a solution.

While MITRE only talks about a delay, others report that they are not receiving responses at all, see here, here or here (which is also my experience and what the activity at mailing lists such as oss-security indicate).

Answer 3

The EXACT method of getting a CVE from Mitre is to e-mail them at cve-assign @ mitre.org. When you e-mail them, you will need to be specific about why you are requesting a CVE, and you will need to provide them with the gist of what you found. For example:

Cross Domain Paradigm Shift (issue)
Paradigm Vendor (vendor)
Versions (version of software affected)
Synopsis (proof of concept helps, e.g., debugging info, URL if web based etc)
Any vendor contacts you have made (email, fax, telephone, etc)

The ONLY TIME you would go through a CNA is if Mitre does not respond.