CVE assignment pending past 72-hour SLA for published advisory

[alienkeric]

Discussion Type

Question

Discussion Content

Hi everyone,

I'm reaching out to see if anyone else has been experiencing unusual delays with CVE ID assignments recently, or if there's a recommended way to unblock stalled requests.

Over the past few weeks I've been conducting vulnerability research and responsibly disclosing several issues. The maintainers have requested CVE IDs through GitHub's CNA, but the requests appear to be stalled.

These requests were submitted over four days ago, which is well beyond the typical 72-hour SLA. None of the advisories have received any updates, requests for additional information, or CVE assignments. Since the advisories are already public, we're hoping to have the corresponding CVE IDs assigned as soon as possible so downstream users and security tools can properly track the vulnerabilities.

I have a few questions for the community or any GitHub staff who may be able to help:

• Is GitHub's CNA currently experiencing a backlog or service delay?
• What is the recommended escalation path when multiple public advisories remain stuck? Should we open GitHub Support tickets, or is there another channel specifically for delayed CVE assignments?
• If a GitHub staff member is available, would it be possible to review or manually advance these requests?

(I'm happy to provide direct links if needed.)

Any guidance or assistance would be greatly appreciated. Thank you!

[nicl4ssic]

I've been experiencing the same issue. It's has been like 108hrs since reported vulnerabilities CVE request sent to GitHub. I'll be following this discussion to see what is causing this issue

[gemstone-source]

Same applied on my end I have the similar experience on some of my reports

[blueandhack]

Same. I was facing the same issues. Not only the CVE assignment delay issue, but also the CVE publish delay issue. So, it looks like a huge backlog for CVEs. I believe the backlog will impact the downstream users, the high risk to expose the downstream users without any notices.

[blueandhack]

https://github.com/orgs/community/discussions/199058

[blueandhack]

https://github.com/orgs/community/discussions/197744

[blueandhack]

github/advisory-database#8098

[alienkeric]

I see, I got 6 published advisory with all requested CVE I wonder 🤔 but no CVE id

[alienkeric]

all of them already published and already fixed and already confirmed.
• GHSA-66v2-vxxf-xc3v
• GHSA-7vhm-8x52-2r5p
• GHSA-928x-9mpw-8h56
• GHSA-2c4f-86xc-cr74
• GHSA-m8g9-wxhx-6f86
• GHSA-q532-mvx7-42qg

[alienkeric]

@mgriffin any updates 😔