CVE Identifiers (a.k.a. CVE IDs) are used to uniquely identifier a particular vulnerability. We've all seen them on various bulletins, and they're useful when researching an issue. But how are they assigned? What process is involved in getting a CVE ID for a bug, and how does the vendor fit in with that process? Can anyone ask for a CVE ID on a whim, or is some evidence or detail required?
Asked
Active
Viewed 2,105 times
10
-
Does this site help you out? http://cve.mitre.org/cve/identifiers/build.html – Kao Dec 10 '12 at 13:37
-
1I'm aware of it. I'm actually reasonably familiar with CVEs, but I figured it'd be nice to have a question on here that'd cover it. – Polynomial Dec 10 '12 at 13:56
2 Answers
7
There are multiple ways to obtain a CVE.
One could contact one of the CVE Numbering Authorities (CNA), an emergency response team (think CERT) or the CVE project. If the vendor of a product is listed as a CNA you must contact the vendor to obtain a CVE.
Sufficient information must be provided to allow the CVE assigner to take a decision (provide the CVE, merge with other CVEs etc).
For more information see http://cve.mitre.org/cve/request_id.html and http://cve.mitre.org/cve/cna.html#researcher_responsibilities
Some vendors such as Drupal will request CVE identifiers in bulk via openwall for published security announcements that do not already have a CVE requested by the researcher.
Heine
- 106
- 3
-
Here is a useful list of the CVE Numbering Authorities and which should be contacted in case you find a vulnerability: https://cve.mitre.org/cve/cna.html#participating_cnas – mart1n Jun 17 '14 at 15:19
1
Just an update, this process is changing, in addition to "evidence based" CVEs there will be "request based" CVEs (to be honest it's already a practice I have done for more then a few of the 5000 CVE's I have issued, certain people I trust to make requests properly and I don't require a lot of evidence because they have a history of doing their CVE requests properly).
Kurt
- 266
- 1
- 6