5

When you find a vulnerability, do you contact CVE assigners before contacting the vendor or after the vendor has fixed the problem?

PS: do not link to How are CVE identifiers assigned and managed?, as it doesn't answer my question.

Community
  • 1
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88

4 Answers4

4

You can request a CVE number without the details being published.

The timeline I have previously followed is:

  1. Notify vendor
  2. Request CVE number, while waiting for vendor response
  3. Publish advisory, once issue is fixed or a certain amount of time has passed

I consider the CVE guys reasonably trustworthy, and I will disclose high-level details of the vulnerability to them before I published. They need this to avoid duplicates, but you can tell them to keep details private. If someone searches for the CVE at this point, it just says "reserved". When I publish, I copy the CVE guys and they then update the CVE entry to include the information.

You do need to get the CVE before you publish - it's pretty much essential to include a CVE number on your advisory.

paj28
  • 32,736
  • 8
  • 92
  • 130
1

If the vendor in question is a CNA (CVE Numbering Authority) then when you report a vulnerability to them they should promptly assign it a CVE # (this is standard operating procedure at Red Hat). If they fail to assign it a CVE then I would advise going to Mitre at cve-assign@mitre.org.

If the vendor is not a CNA then you can request a CVE from Mitre at cve-assign@mitre.org. Personally I prefer that the vulnerability get a CVE sooner rather then later (it makes tracking and coordination easier).

Kurt
  • 266
  • 1
  • 6
1

As far as I know, you first contact the vendor. There are numerous CVE requests on the oss-security mailing list pointing to bug trackers. Of course if a vendor ignores the issue that's a different story...

I suspect your question has more to do with whether it's ethical to disclose without warning a vendor?

Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
  • no, it's not ethical-related. I just want to know if I need to contact a CNA while the vendor fix the problem, of if I need to wait until the problem is fixed to request the CVE. – The Illusive Man Jul 12 '14 at 19:53
  • I'm not sure that you are *required* to wait. I also remember seeing bugs without an upstream fix but with a provided patch. Especially, sometimes you need full disclosure as people won't fix their bugs. I'd directly ask the CVE people if I were you. – Steve Dodier-Lazaro Jul 12 '14 at 20:38
  • you are definitely NOT required to wait for upstream to fix/patch/acknowledge/etc. the flaw before getting a CVE. The one Caveat being that if upstream is a CNA (CVE Numbering Authority) then they will be told as they would be the primary entity to assign a CVE for their software. – Kurt May 11 '17 at 18:14
1

If you apply for a CVE ID and are granted one, then the vulnerability will become public knowledge. It is recommended that you first contact the software developer and wait 30 days for their response. Depending on the severity of the vulnerability, they may ask that you do not make the vulnerability known to the public until they have had time to patch.

Overall, the course you take is your decision. But working with the vendor will ensure you are not held liable for damages releasing the vulnerability may cause.

ap288
  • 56
  • 2