Re: CVE id assignment dates

["Steven M. Christey" <coley () rcf-smtp mitre org>]

Alexander,

This misconception is, unfortunately, all too common.  I will look into 
ways of changing it on the CVE web site.

The Assigned date, strictly defined, is the date on which the specific CVE 
*number* was first created and "committed" to the CVE database.  There is 
no guaranteed relationship between the public disclosure date and the 
Assigned date.

When a CNA receives a pool of numbers, the Assigned date is when that pool 
was created by MITRE.  A CNA pool is just a list of CVE numbers that 
aren't even associated with a specific vulnerability.

When MITRE reserves a CVE candidate for an independent, non-CNA party, the 
"Assigned" date reflects the day that we reserved the candidate - which is 
sometimes before the issue is published, and sometimes even before the 
vendor is notified.

In other cases, MITRE independently assigns new CVEs for already-disclosed 
vulnerabilities, and the Assigned date reflects when we created those 
CVEs.  In this case, the Assigned date can be AFTER the original 
disclosure date.

We do not publish any dates related to disclosure, patch, or vendor 
notification; interested parties can consult other databases that 
explicitly track this information, such as OSVDB.

- Steve


On Mon, 23 Jan 2012, Solar Designer wrote:

> Hi,
>
> It appears that many people are confused by and concerned about the
> "Assigned" dates on CVE ids, not being aware that these dates often (or
> even all the time?) merely reflect the assignment of a CVE id pool to a
> CNA, normally before the actual vulnerabilities are discovered.
>
> For example, CVE-2012-0056 shows "Assigned (20111207)" - so someone
> wrongly thought that this meant that kernel developers or whoever sat on
> this bug for 1.5 months.
>
> I think cve.mitre.org web pages need to provide an explanation right
> next to these dates or not show the dates.
>
> Alexander