full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] how to request a cve i

Re: [Full-disclosure] how to request a cve id?

From: William A. Rowe, Jr. <wrowe_at_nospam>
Date: Fri Aug 01 2008 - 20:39:18 GMT
To: "Steven M. Christey" <coley@linus.mitre.org>

Steven M. Christey wrote:
> CVE requests can be sent to cve@mitre.org or to me directly. My PGP
> key is below, or accessible from the MIT public key server.
> Alternately, you can request them from Candidate Numbering Authorities
> (CNAs) which include the security teams at Red Hat, Microsoft, and
> Debian, or third-party coordinators including iDefense and CERT/CC.
> The amount of information you need to provide can vary and is somewhat
> negotiable. We need to be sure how many CVEs to assign.
> Naturally, there is no charge for CVE requests. We encourage people
> to try to coordinate with the vendor, since the quality of information
> almost always suffers if you don't do so.

I'd like to expand on Steven's comments; it is usually best to obtain that CVE from the vendor/project, if they already participate in Mitre. This ensures that you are not creating a duplicate ID. Of course if they do not participate, you'll need to follow Steven's directions above.

If they do participate, it ensures that duplicate CVE's won't need to be discarded. Where your vulnerability overlaps a prior report, you should be told which CVE applies to your report.

It may be best where you have a cross project/vendor vulnerability to simply request one first, and then notify each project/vendor affected of the specific CVE you have allocated at the time you notify them of the vulnerability.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/