CVE assignment documentation - this document replaces http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html
Please note that this document pertains to CVE's for issues found in Open Source programs, not closed source programs, if you need a CVE for a closed source program I suggest you go to Mitre directly.
Copyright: Red Hat 2015 Author: Kurt Seifried (firstname.lastname@example.org)
What is CVE?
A CVE is a common name for a single security vulnerability so that we can identify and talk about issues sanely (e.g. "that OpenSSL vulnerability, from like 2009, the DoS one" vs. "CVE-2009-3555"). CVE allows multiple vendors, products, and customers to properly track security vulnerabilities and make sure they are dealt with.
The CVE database is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
Why should I get a CVE for my security issue?
Because it makes it much easier to track, discuss and otherwise handle security issues for everyone. Upstream vendors, downstream vendors, security tracking firms, customers, security products, etc. all increasingly rely upon CVE to identify issues clearly.
Why should I get my CVE before going public?
Getting the CVE before public release makes tracking the issue much easier, if you release the issue and then get a CVE for it everyone will have to update their information (considering how many organizations consume security reports, this is a lot of effort). Also if other similar issues are released it makes tracking much easier rather than playing the "well it sounds like this one but maybe it's that other one?"
How do I request a CVE?
There are 4 main ways to request a CVE:
- In advance privately from email@example.com
- In advance privately from the firstname.lastname@example.org list
- In advance privately from Mitre email@example.com
- Publicly on the firstname.lastname@example.org list
You can request a CVE from email@example.com, this is generally the quickest way (we have a team of people that can assign CVE's). You'll need to include some basic information such as the title, type of vulnerability and so on so that we can make sure the assignment is done correctly. If we have any questions about the assignment we will ask, so don't worry, if something is missing or unclear we'll ask. The firstname.lastname@example.org GPG key is available here https://access.redhat.com/security/team/contact
Please note that although there is no strict limit on the time from which you request a CVE to the time you release the information we do generally ask that you take no more than 30 days to release the information.
You can request a CVE from the email@example.com list. This will actually be fulfilled by Red Hat (the same people doing firstname.lastname@example.org basically) and has the same basic process. Carefully read the entire http://oss-security.openwall.org/wiki/mailing-lists/distros page and confirm that you have done so and that you accept its terms by including the magic characters stated there in the Subject line otherwise your email will be rejected.
Your primary intent of bringing the issue to the distros list must be to notify the various BSD and Linux vendors (http://oss-security.openwall.org/wiki/mailing-lists/distros) who can then start working on their updates as well. Please note: emailing the distros@ list starts a 2 week embargo process so if you cannot address the issue and go public in 2 weeks or less I suggest either holding off on the CVE request, or using email@example.com directly.
If for some reason you do not feel comfortable asking Red Hat or the distros@ list for the CVE you can request one directly from Mitre by emailing firstname.lastname@example.org. Please note that the Mitre team handles literally thousands of CVE requests a year so it may take some time for a response.
Finally if you have a public issue, or find an issue that is already public please ask for a CVE on the email@example.com mailing list, this will also notify the community of the issue. A classic example of this is the "CVE Request: Linux kernel crypto api unprivileged arbitrary module load" http://seclists.org/oss-sec/2015/q1/229 which was originally found in 2013, but not made widely known as a security issue until 2015. Sooner is always better for security issues.
How to write a CVE request:
There is not much information that is required:
- Software name and optionally vendor name
- Link to the software web site (so we can download to confirm it, etc.)
- Type of vulnerability or attack outcome
- A description of the affected code (e.g. the function name, the vulnerable web page, link to the affected code, a bug entry, etc.)
- Ideally some information about affected versions (especially if the issue has already been corrected in a release)
- Whether or not a CVE has previously been requested anywhere (e.g. if you emailed someone and they never got back to you), this is to prevent duplicate assignments.
Examples of good and bad requests
http://seclists.org/oss-sec/2011/q4/65 - this one is a bad request because the affected product name was mixed up (Ruby-on-rails/Ruby)
Why doesn't my CVE show up in the database?
The two main CVE databases:
Rely on Mitre for entries to be created and added. Mitre does not add CVE text until they have researched the issue and written it up. This means that in a given year Mitre has approximately 8,000 to 10,000 issues in their database that need research and publishing, so there is an obvious delay, especially for issues that are not as significant/important.
Why was the CVE assigned days/weeks/months before going public?
Mitre has a "Date Entry Created" field in their database, this is the date the CVE was either assigned by Mitre to a specific issue, or the date that CVE was given by Mitre to another organization (such as Red Hat) for future use. For example CVE-2015-0201 through CVE-2015-0300 were assigned on November 14, 2014 to Red Hat, as of late January 2015 Red Hat has only used approximately half of these. For more information on this and the other fields please see http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures