Re: How to request a CVE for open source projects

[Anthony Sasadeusz <sasadeu1 () umbc edu>]

Yeah, I'm kind of in the same boat. Used the DWF form, got a response
basically asking to accept the Mitre Terms of Service, and nothing since.

Anthony

On Mon, May 22, 2017 at 2:05 PM, Michael Catanzaro <mcatanzaro () igalia com>
wrote:

> Hi,
>
> I'm aware that the CVE form [1] can now be used to request CVEs. However,
> it does not seem to be designed for requesting CVEs in open source
> products. The field "Vendor of the product(s)" says "Please ensure vendors
> are on the products and sources list," indicating the intent of MITRE to
> restrict usage of the form to specific products. This list [2] says "For
> open source software products not listed below, request a CVE ID through
> the Distributed Weakness Filing Project CNA." So, clearly we are supposed
> to request a CVE through the DWF project. (Or perhaps via Red Hat, since it
> seems like it's willing to allocate CVEs for miscellaneous Linux-related
> issues.)
>
> Anyway, I attempted to request a CVE using the DWF project's request form
> [3] several months ago, but have not yet received any response [4]. So I am
> hesitant to request further CVEs from the DWF project, for fear that I
> won't receive a response and will wind up needing to make a duplicate CVE
> request somewhere else.
>
> How are other people getting open source CVEs right now? Has anybody else
> had luck getting a CVE via DWF? Should I be trying to do this through Red
> Hat instead? Or just by filling out MITRE's CVE form even though we're not
> really supposed to be using it?
>
> Michael
>
> [1] https://cveform.mitre.org/
> [2] http://cve.mitre.org/cve/request_id.html#cna_coverage
> [3] http://iwantacve.org/
> [4] https://bugzilla.gnome.org/show_bug.cgi?id=752738#c15