Steven M. Christey wrote:
CVE requests can be sent to cve@xxxxxxxxx or to me directly. My PGP key is below, or accessible from the MIT public key server. Alternately, you can request them from Candidate Numbering Authorities (CNAs) which include the security teams at Red Hat, Microsoft, and Debian, or third-party coordinators including iDefense and CERT/CC. The amount of information you need to provide can vary and is somewhat negotiable. We need to be sure how many CVEs to assign. Naturally, there is no charge for CVE requests. We encourage people to try to coordinate with the vendor, since the quality of information almost always suffers if you don't do so.
I'd like to expand on Steven's comments; it is usually best to obtain that CVE from the vendor/project, if they already participate in Mitre. This ensures that you are not creating a duplicate ID. Of course if they do not participate, you'll need to follow Steven's directions above. If they do participate, it ensures that duplicate CVE's won't need to be discarded. Where your vulnerability overlaps a prior report, you should be told which CVE applies to your report. It may be best where you have a cross project/vendor vulnerability to simply request one first, and then notify each project/vendor affected of the specific CVE you have allocated at the time you notify them of the vulnerability.