CVE assignment documentation
Latest commit 59ab10b Nov 14, 2016 @kseifriedredhat kseifriedredhat committed on GitHub Updated on CVE assignment process
Permalink
Failed to load latest commit information.
CVE-ASSIGNMENT-RHT.md Typos Jan 28, 2015
LICENSE Initial commit Jan 26, 2015
README.md Updated on CVE assignment process Nov 14, 2016

README.md

CVE-HOWTO

CVE assignment documentation - this document replaces http://people.redhat.com/kseifrie/CVE-OpenSource-Request-HOWTO.html

Please note that this document pertains to CVE's for issues found in Open Source programs, not closed source programs, if you need a CVE for a closed source program I suggest you go to MITRE directly.

Copyright: Red Hat 2016 Author: Kurt Seifried (kseifried@redhat.com)

What is CVE?

http://cve.mitre.org/about/faqs.html

A CVE is a common name for a single security vulnerability so that we can identify and talk about issues sanely (e.g. "that OpenSSL vulnerability, from like 2009, the DoS one" vs. "CVE-2009-3555"). CVE allows multiple vendors, products, and customers to properly track security vulnerabilities and make sure they are dealt with.

The CVE database is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

Why should I get a CVE for my security issue?

Because it makes it much easier to track, discuss and otherwise handle security issues for everyone. Upstream vendors, downstream vendors, security tracking firms, customers, security products, etc. all increasingly rely upon CVE to identify issues clearly.

Why should I get my CVE before going public?

Getting the CVE before public release makes tracking the issue much easier, if you release the issue and then get a CVE for it everyone will have to update their information (considering how many organizations consume security reports, this is a lot of effort). Also if other similar issues are released it makes tracking much easier rather than playing the "well it sounds like this one but maybe it's that other one?"

How do I request a CVE?

There are several main ways to get a CVE:

  1. Does the software in question belong to an organization that can assign CVEs? If so you should contact them first to request a CVE. If they are not responsive you should contact their parents CVE organization for resolution. A list of CNAs for MITRE is available at https://cve.mitre.org/cve/cna.html and for Open Source CNAs a list is maintained at https://github.com/distributedweaknessfiling/DWF-CNA-Registry
  2. If the software in question doesn’t belong to an organization that can assign CVEs there are entities that do CVE assignments for various software categories (e.g. the DWF can do CVE assignments for Open Source software), the DWF is available at https://iwantacve.org/
  3. There are also organizations that to security vulnerability coordination and can assign CVEs to vulnerabilities such as CERT/CC, Hackerone, JPCERT/CC and so on, for a list of these please see https://cve.mitre.org/cve/cna.html
  4. If there is no entity to assign a CVE you should ask MITRE directly for one via the web form: https://cve.mitre.org/cve/request_id.html

Additionally for CVE requests for OpenSource software that are for public issues you can also request them via the Publicly on the oss-security@lists.openwall.com list currently.

How to write a CVE request:

MITRE maintains a CVE request web form at https://cveform.mitre.org/ and the DWF maintains one at https://iwantacve.org/ which show what information is required and what information is additonally nice to have.

Why doesn't my CVE show up in the database?

The main CVE database is at:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=my+program

The National Vulnerability database also maintains a CVE data with additional information such as CVSS scoring information.

https://web.nvd.nist.gov/view/vuln/search

Both currently rely on Mitre for entries to be created and added. MITRE does not add CVE text until they have researched the issue and written it up. Currently (as of late 2016) MITRE is transitioning to allowing CVE Numbering Authorities (CNAs) to submit CVE description text.

Why was the CVE assigned days/weeks/months before going public?

Mitre has a "Date Entry Created" field in their database, this is the date the CVE was either assigned by Mitre to a specific issue, or the date that CVE was given by Mitre to another organization (such as Red Hat) for future use. For example CVE-2015-0201 through CVE-2015-0300 were assigned on November 14, 2014 to Red Hat, as of late January 2015 Red Hat has only used approximately half of these. For more information on this and the other fields please see http://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures