Distributed Weakness Filing (DWF) Project
The Distributed Weakness Filing (DWF) Project is the first federated CVE Number Authority (CNA). The DWF will initially deal with assigning CVEs for Open Source software (as defined by OSI approved Open Source licenses https://opensource.org/licenses and similar licenses). The DWF will assign CVEs for valid security vulnerabilities using the same or very similar processes as Mitre and other CVE Numbering Authorities currently use.
Getting a CVE Identifier from the DWF for your security vulnerability(s)
We are currently deciding on process for this, in the mean time you can submit an issue via the form at https://iwantacve.org/
Becoming a CVE Mentor
The first step is to contact us, email is good (see our contact info), or file an issue. To get involved with the DWF as a CVE Mentor you MUST accept the Contributor Covenant.
Becoming an Open Source CNA (CVE Numbering Authority)
To become an Open Source CNA you must meet the following requirements:
Fill out a CNA application form (form to be created)
Agree to the CNA Rules at https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf
Find at least one or more CVE Mentors willing to work with you, they can be internal to your organization/project or an external person.
Assigning a CVE for the DWF
If you are assigning CVEs on behalf of the DWF please consult the CVE Assignment HOWTO.
The primary source for this document is: https://cve.mitre.org/about/termsofuse.html
This is the DWF Contributor Agreement, if you want to participate withint the DWF as a CVE mentor or CNA you must accept this agreement.
The primary source for this document is: http://contributor-covenant.org/version/1/4/
This is the MITRE Common Vulnerabilities and Exposures (CVE) Numbering Authority (CNA) Rules , if you want to be a CNA you must read this and accept these guidelines.
The primary source for this document is: https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf
Please note that a draft version of the 2.0 guidelines are now available here: http://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdf
Git Repo layout
This repo contains the documentation.
This repo contains the Master CVE Database which consists of the CVE Year, start of range, end of range, length of range and where this block is stored (e.g. which Git repo). When you want to find a CVE you can look here to find the repo it exists within.
This repo is going to be removed in future, we will be moving to a forked copy of https://github.com/cveproject/cvelist
This repo contains a list of CVE Mentors, mentors may be affiliated with none, one, or more CNAs. CVE Mentors are not required to assign CVEs, they may for example be involved for example primarily in training other CVE Mentors or providing supporting to other CVE Mentors.
This is the DWF CNA registry, it is basically just a list of CNAs and their CVE Mentor(s) and the CVE ID blocks they use. Every CNA must have one or more CVE Mentors that work with them.
This repo contains legal acceptance from people who are not yet CVE Mentors or CNAs withint the DWF.