Full Disclosure mailing list archives
Re: Regarding how can I request a CVE number?
From: Nick Boyce <nick.boyce () gmail com>
Date: Thu, 19 Mar 2015 16:36:37 +0000
On 17 March 2015 at 23:25, XiaopengZhang <tfrist () yeah net> wrote:
I discovered several Vuls and have reported them to the vendors, so I'd like to request the CVE for them. (The vendor did not want to request CVE) I ever sent some emails to cve-assign () mitre org for applying for CVE. But so far still nobody replys them. I dont know what happend about this email box. Is my email recognised as spam? Or do I need write the email content in a special format?
Maybe you didn't supply all the information required for a CVE to be assigned ? There are a *huge* number of potential security-related flaws being discovered in open-source software now as various researchers pour a lot of effort into auditing - and discussions about these flaws frequently get bogged down in whether or not the flaw is "by design" or "as documented" or is just crappy programming but doesn't actually result in an exploitable vulnerability, etc. The folks who try to wrestle all this debate into a meaningful menagerie of useful trackable CVEs only have 24 hours in the day like the rest of us, and sometimes get overwhelmed. So they've had to post guidelines for researchers as to the minimum level of information that needs to be available before a CVE can usefully be assigned. This includes such things as links to clear descriptions of when and in which versions the flaw was introduced and subsequently fixed (preferably with publically accessible repository commit IDs), and preferably a clear analysis (with faulty source-code if possible) of what goes wrong and what should have happened instead, and whether the vendor has been informed, and whether they've published the fix yet (so it is clear whether to publish full details in the CVE database yet, or keep them embargoed till the fix is out). Check whether your request complies: http://oss-security.openwall.org/wiki/disclosure/cve (I don't administer any of this - I just follow along at home) Cheers Nick -- Will no-one rid me of this troublesome chair ? _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Regarding how can I request a CVE number? XiaopengZhang (Mar 18)
- Re: Regarding how can I request a CVE number? James Hooker (Mar 18)
- Re: Regarding how can I request a CVE number? Daniel Wood (Mar 19)
- Message not available
- cve-assign delays Steven M. Christey (Mar 19)
- Re: Regarding how can I request a CVE number? Daniel Wood (Mar 19)
- Re: Regarding how can I request a CVE number? Peter Adkins (Mar 19)
- Re: Regarding how can I request a CVE number? James Hooker (Mar 18)
- Re: Regarding how can I request a CVE number? Nick Boyce (Mar 19)