Publishing an exploit after vendor contact and patching

Question

I recently discovered several serious security holes in a vendors product. I worked with them and they just released a patch.

I understand this is a very competitive field so I would like to publish my findings as a way to earn some street credibility.

The company does not seem to publish anything publicly about fixes and no CVE. Is the next correct step to ask and get a CVE identification number for each exploit and then publish my paper linking to those CVEs?

Answer 1

Is the next correct step to ask and get a CVE identification number for each exploit and then publish my paper linking to those CVEs?

As a courtesy, I would inform the vendor that you plan on publishing. They may want to first send out private notices to their customers to give them time to update. Normally, you would mention this when first contacting the vendor, but if you didn't, better late than never.

If you can get a CVE via the process described below, then yes, you would link each vulnerability to its CVE. You may also want to publish your report to a mailing list.

Is a CVE Needed?

Can I just release this paper or do I need to get a CV Number as well

You don't need a CVE to disclose, but it's recommended, if you can get one (your vulnerability may not be eligible for a CVE, for example if it is in closed sourced software that isn't listed by MITRE, or MITRE may not be able to assign you a CVE in a timely manner).

The idea behind CVEs is to have a centralized way to identify security vulnerabilities, which makes it easier to distinguish between different issues across different tools or vulnerability databases.

So if you can, it would be best to acquire a CVE before publishing, so others can easily identify your vulnerability and to avoid duplicate assignments.

How to get a CVE (in 2016+)

In August 2016, MITRE changed their email-based CVE request process to a webform-based process. In the process, they also changed the rules about what vulnerabilities can request CVEs from them directly.

As far as I understand based on this document, it works like this:

1. if the affected product is assigned to a CNA, a CVE should be requested from that CNA at the same time as the vulnerability is reported.
2. if not, you can contact CERT/CC (I assume before disclosing), or a mailing list (while disclosing).
3. if the affected product is in a seemingly arbitrary list of software, the CVE should be requested after it was reported to the vendor, but before publishing the vulnerability. This request should happen via the MITRE CVE webform.
4. if the affected product is not in the list, and it is open source, then the CVE should be requested after it was published, via this google docs form (if you disclose via a mailing list, I would make sure to include a link to avoid duplicate CVE assignment)

For your case, point 1. doesn't seem to be the case. You may send your disclosure to a mailing list (point 2.), but I wouldn't expect to get a CVE. If the vendor is in 3., you may use the webform to request a CVE. 4. doesn't apply, so if none of the previous points applied (eg if it is closed software not in the list of covered products), you may not get a CVE.