GitHub Community
Significant Delay in CVE ID Assignment via Private Security Advisory (Pending since June 8) #199123
Replies: 1 comment
-
|
The CVE is just assigned. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
🏷️ Discussion Type
Question
💬 Feature/Topic Area
Other
Discussion Details
Hi everyone,
I'm reaching out to see if others are experiencing unusual delays with CVE ID requests lately, or if there is a recommended way to follow up on a stalled request.
During a recent open-source security audit, I reported a vulnerability to a project. The maintainer officially requested a CVE ID through the GitHub Private Security Advisory workflow on June 8th at 12:28 PM. It is now June 15th, which is well past the standard 72-hour SLA.
As a Collaborator on this Private Advisory, I can confirm that the timeline is completely empty—there have been no requests from the GitHub CNA team for additional information, clarifications on version ranges, or any status updates.
A few questions for the community or any GitHub staff here:
Is there a known backlog for the GitHub CNA team at the moment?
What is the proper escalation path in this scenario? Should the maintainer open a standard support ticket, or is there a dedicated channel for delayed CVE requests?
We want to ensure this vulnerability is properly tracked and published, so any guidance on how to unblock this would be greatly appreciated.
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions