19

I recently reported a security vulnerability and it was patched. The patch (and associated issue) are both out in the open in a Github repo (aka public). I contacted cve-assign@mitre.org to get a CVE Identifier issued for the vulnerability. I have been issued a CVE Identifier.

Do I need to do anything else (e.g. supply Proof of Concept code etc), or am I done?

David Dworken
  • 193
  • 5

1 Answers1

16

Given you have referenced Github, I will assume this related to some type of As an open source project, a note to oss-sec is a good idea. This will bring it to the attention of most upstream distributors.

You do not need to subscribe to post to oss-sec, but you should note carefully the etiquette/content guidelines in the link above. A rummage through the archives should point you in the right direction, this one is a recent posting (from the list maintainer) the form of which you could usefully copy: http://seclists.org/oss-sec/2015/q3/61

The NIST National Vulnerability Database is driven by CVE data and should be updated in the near future, they don't suggest how long it might take though. The NVD FAQ also has some useful details, including contact procedures for missing or incorrect entries. I'd suggest giving it at least two weeks (based on empirical evidence) after you post to oss-sec before following up though, the CVE people tend to be busy.

mr.spuratic
  • 7,937
  • 25
  • 37
  • Do I need to do anything additional to add the information to: https://web.nvd.nist.gov/view/vuln/detail?vulnId=[CVE ID Here]? Right now it does not show up but is that just a matter of waiting until they update the website? – David Dworken Aug 06 '15 at 14:58
  • Updated. I believe you just need to wait, posting to oss-sec *might* help, but it depends on the scope and severity of your issue (and every other issue currently in the queue). – mr.spuratic Aug 06 '15 at 15:49