Public registry of DWF CVE Mentors
Switch branches/tags
Nothing to show
Clone or download
Latest commit 63cad71 Jun 29, 2018
Failed to load latest commit information.
agreements cleaned up contributor agreements statement Jun 29, 2018
mentors Added as trainee Feb 9, 2018 updated instructions Jun 29, 2018


This repo contains informaiton on becoming a CVE Mentor, and a list of current CVE mentors. CVE Mentors duties primarily include:

  • Determining if something is a security vulnerability from the CVE perspective (CVE_is_vuln)
  • Determining how to SPLIT/MERGE a CVE request(s) (CVE_counting)
  • Signing off on a CVE request as being correct (CVE_assign)
  • Providing help and training to other CVE mentors and people who want to be CVE mentors (can_train_others)
  • Confirming and creating other CVE mentors

Optionally a CVE mentor can also have a block of CVEs that they can directly assign from, making them a CNA effectively. Such CNAs are listed in

How to become a CVE Mentor

Becoming a CVE Mentor is simple:

  1. Find a mentor to sponsor you (check the existing registry, if you can't find one contact
  2. Fill out the CVE Mentor template (name, email addresses, etc.) available at
  3. Email the template and attached copies of your GPG key and the three signed file (listed below) to, please indicate in your email if you want to also become a CVE Numbering Authority (CNA), this is not required (e.g. some CVE Mentors will work with existing CNAs, or specialize in training and other related activities). Please use the subject line "DWF CVE Mentor request" to make it easier to spot.
  4. If accepted you will then be setup as a "trainee" which means you will be sent some training material (MITRE slides, etc.), once you have gone through them you will start creating CVE requests, however all your CVE requests MUST be validated by an existing CVE Mentor that is qualified, and the actual CVE supplied by the existing CVE mentor (their "can_train_others" has a value of "1" (True) for "CVE_is_vuln", "CVE_counting" and "CVE_assign")
  5. Once you have created several good CVE requests that have been assigned CVEs and geenerally shown competency you will be promoted from "trainee" to "active" and if desired a CVE block will be assigned to you
  6. If you wish to train and mentor others (e.g. become qualified for "CVE_is_vuln", "CVE_counting" and "CVE_assign") simply ask and I'll figure out the process for that (we don't have an official one yet)

Signing the agreements

You must sign the 3 agreement documents in with the gpg key you will be using to sign CVE ID assignments. Your GPG key MUST be valid for a minimum period of 5 years, and it can of course be valid for a longer period, or you can simply NOT set a kew expiry (since we are primarily concerned with signing and not with encryption/secrecy). Simply use gpg:


gpg --clearsign CVE-CNA-Rules-v2.txt
gpg --clearsign CVE-Terms-of-Use.txt
gpg --clearsign DWF-Contributor-Agreement.txt

And then attach and send the 3 .asc files to the DWF along with your public key and the template file so we can create a mentor record.