<<< Date Index >>>     <<< Thread Index >>>

Re: how to request a cve id?



Steven M. Christey wrote:
CVE requests can be sent to cve@xxxxxxxxx or to me directly.  My PGP
key is below, or accessible from the MIT public key server.
Alternately, you can request them from Candidate Numbering Authorities
(CNAs) which include the security teams at Red Hat, Microsoft, and
Debian, or third-party coordinators including iDefense and CERT/CC.

The amount of information you need to provide can vary and is somewhat
negotiable.  We need to be sure how many CVEs to assign.

Naturally, there is no charge for CVE requests.  We encourage people
to try to coordinate with the vendor, since the quality of information
almost always suffers if you don't do so.

I'd like to expand on Steven's comments; it is usually best to obtain that
CVE from the vendor/project, if they already participate in Mitre.  This
ensures that you are not creating a duplicate ID.  Of course if they do
not participate, you'll need to follow Steven's directions above.

If they do participate, it ensures that duplicate CVE's won't need to be
discarded.  Where your vulnerability overlaps a prior report, you should
be told which CVE applies to your report.

It may be best where you have a cross project/vendor vulnerability to simply
request one first, and then notify each project/vendor affected of the
specific CVE you have allocated at the time you notify them of the
vulnerability.