Skip to content
RealinfoSec.net

RealinfoSec.net

InfoSec News, Cybersecurity Awareness

  • Home
  • InfoSec News
    • Data Breach News
    • Latest Vulnerabilities
  • What Is InfoSec
  • CyberSecurity Newsletter
  • Cyber Academy
  • Cyber Help Desk
  • Cyber Knowledge Base
  • Contact Us
    • Contribute
  • My Bookmarks
  • Subscribers
    • Knowledge Quizzes
    • Register
  • Login
    • Password Reset
  • Register
  • Privacy Policy
    • Legal
  • Toggle search form
How to request a CVE

How to request a CVE: From vulnerability discovery to disclosure

Posted on 21 September 202221 September 2022 By RiSec.n0tst3 No Comments on How to request a CVE: From vulnerability discovery to disclosure

Table of Contents

  • What is a CVE?
  • The CVE reservation process
    • 1. Verify that a CVE ID is needed
    • 2. Contact the affected vendor
    • 3. Work with a CNA
    • 4. Share the CVE with others
    • 5. Public vulnerability disclosure
  • Responsible vulnerability management
    • Please login to bookmark

What is a CVE?

A CVE, meaning Common Vulnerabilities and Exposure, is a publicly reported vulnerability in software products. Vulnerabilities are assigned CVE IDs to ensure clarity when discussing vulnerabilities in software products. Otherwise, it can be difficult to correlate reports of a single vulnerability since different organizations will assign them different names, and the same product may have multiple instances of the same vulnerability (buffer overflows, remote code execution and so on).

The CVE reservation process

The researcher that discovers a vulnerability has the ability to reserve a CVE. If you believe that you’ve discovered a new vulnerability, you can reserve a CVE through the following process.

1. Verify that a CVE ID is needed

A CVE is appropriate if a vulnerability has been detected in software. To be considered a vulnerability, some exploitable code must pose a threat to the confidentiality, integrity or availability of the software or the data that it processes. Additionally, to fix this issue, some modification in the code or specifications is required.

If a CVE is appropriate, the next step is verifying that one does not already exist for the CVE in question. This can be accomplished via a keyword search on the CVE website.

2. Contact the affected vendor

Working with the affected vendor is highly recommended as part of the vulnerability disclosure process. Irresponsible disclosure of a vulnerability without a “good faith” effort to contact the vendor and allow a patch to be released places users of the affected process at risk.

MITRE recommends the following steps for working with the vendor:

  1. Contact the vendor’s security contact (if available) or technical support. Provide a full description of the vulnerability in question, steps for exploitation, and proof of concept (if available). Allow five business days for the vendor to respond. An auto-reply message does not count as a response.
  2. Work with the vendor to correct the issue. This may include additional explanations, further analysis of the vulnerability, patch testing and accuracy checks of both your and the vendor’s advisories.
  3. If the five-day window expires with no response, reach out to a third-party “coordinator”, such as CERT/CC. These coordinators may have connections that improve their ability to receive a response.
  4. If the vendor and an established response team (such as CERT/CC) will not issue an advisory, publish to a public forum that allows community validation. Options include the Bugtraq and Full-Disclosure mailing lists or Exploit-DB and Packet Storm sites.
Recommended:  Security Breach Allegations Hover Over TikTok

Public vulnerability disclosures — especially ones with details of the vulnerability and its disclosure — should not be released until a patch has been made available and system administrators have an opportunity to apply it. If a vendor is moving too slowly or resisting patching, reach out to CERT/CC or other coordinators.

How to request a CVE

3. Work with a CNA

A CVE Numbering Authority (CNA) is an organization that can assign CVE numbers. To reserve a CVE number, reach out to one of the following (in order of preference):

  • Vendor CNA: Some software vendors act as CNAs for their own software. If a vulnerability is discovered in one of these vendors’ products, reach out to their CNA contact.
  • Third-party coordinators or email lists: If no vendor CNA is available, reach out to a CVE coordinator (like CERT/CC) or post on a mailing list like Bugtraq or OSS Security. After the vulnerability has been validated, it will be assigned a CVE.
  • Root CNAs: If no CVE is assigned after following the methods above, reach out to one of the CVE Program Root CNAs to request a CVE. This can be accomplished via the online CVE Request Form.

To determine the appropriate CNA to contact and the organization’s POC for CNAs, visit MITRE’s list of CNAs.

After requesting a CVE, you should be contacted by the CNA. Respond to any requests for clarification or additional detail. At the end of the process, a CVE number should either be assigned or the request will be officially rejected (with a rationale). If a CVE is assigned, it will be officially listed as “Reserved” until step 5 is completed.

Recommended:  HARDEN YOUR VPS: Steps to Hardening your VPS Security

4. Share the CVE with others

If a CVE has been assigned, it should be shared with the vendor and any other parties involved in the process. This helps to ensure that multiple CVEs are not assigned by different CNAs for the same vulnerability.

5. Public vulnerability disclosure

When appropriate, make a public disclosure of the vulnerability. In the announcement, clearly associate all assigned CVEs with the associated vulnerability. This is especially important if multiple CVEs are included in a single disclosure as system administrators need to know where on the CVE List to go for more information on a particular issue.

After publishing a disclosure, notify the CVE team via the CVE Request form (“Notify CVE about a publication” option). This notifies the CVE team to change the CVE record from “Reserved” to including information about the vulnerability on the page.

Responsible vulnerability management

If you have discovered a legitimate vulnerability, you deserve credit for doing so. Registering for a CVE provides official recognition of your discovery.

It is also important to ensure that vulnerabilities are corrected by the vendor; however, it is vital to do so responsibly. If a vendor ignores attempts at contact or refuses to issue a patch, always go through the proper channels (contacting CERT/CC or similar) before publicly exposing the vulnerability. While “name and shame” may be the only way to push some vendors into disclosure and issuing patches, doing so prematurely without exploring the options doesn’t just hurt the vendor. It also places any users of the vulnerable software at risk of exploitation with no ability to fix the issue.

Recommended:  Facebook Engineers Admit They Don’t Know What They Do With Your Data

Search CVE List, CVE

Submit a CVE Request, CVE

Request CVE IDs, CVE

Infosec Institute

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark

Please login to bookmark

Social Comments Box
  • About
  • Latest Posts
RiSec.n0tst3
Connect
RiSec.n0tst3
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK.

I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...

I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.

I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!
RiSec.n0tst3
Connect
Latest posts by RiSec.n0tst3 (see all)
  • JD Sports:Cyber Attack affects 10 million customers - 30 January 2023
  • InfoSec – A Newbie Guide – InfoSecurity - 25 January 2023
  • Apple is accused of censoring apps in Hong Kong and Russia - 22 December 2022
Share the word, let's increase Cybersecurity Awareness as we know it

No related articles.

Cybersecurity Academy, Data Security, How to Tags:CVE, Disclosure, how to, infosec, Vulnerability

Post navigation

Previous Post: Rockstar confirms hack after Grand Theft Auto 6 leak
Next Post: USA adds two more Chinese carriers to ‘probably a national security threat’ list

Related Posts

Fixing indirect vulnerabilities without breaking your dependency tree Cybersecurity Academy
teach your kids about Social Media 5+ Things to teach your kids about Social Media Cybersecurity Academy
Cyber security statistics 10+ Cyber security statistics that every business should know Data Security
google Google Chrome issue allows overwriting the clipboard content Data Security
How the Deep web works How the Deep Web Works Cybersecurity Academy
DEF CON 30 Archive page is Live! Cybersecurity Academy

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

RiSec Captcha − 6 = 2

AbuseIPDB Contributor Badge

Follow Our Socials:

Latest InfoSec News

Data Breach News InfoSec News

JD Sports: Cyber Attack affects 10 million customers

RiSec.n0tst3
30 January 2023 0
what is infosec
Cybersecurity Academy

InfoSec – A Newbie Guide – InfoSecurity

RiSec.n0tst3
25 January 2023 0
google
Cybersecurity Academy How to

Google Open-Source Vulnerability Scanning Tool

RiSec.Mitch
18 January 2023 0
InfoSec News

Polymorphic Malware Produced by ChatGPT

RiSec.Mitch
18 January 2023 0
russia
InfoSec News

Russian Hackers Repurpose Decade-Old Malware Infrastructure to Deploy New Backdoors

RiSec.Mitch
8 January 2023 0
latest cybersecurity news
InfoSec News

Dridex Banking Malware Targets MacOS users with a new delivery method

RiSec.Mitch
8 January 2023 0
ransomware
InfoSec News

Microsoft Discloses Methods Employed by 4 Ransomware Families Aiming at macOS

RiSec.Mitch
8 January 2023 0
InfoSec News

$8 billion in cryptocurrency withdrawals strike US bank Silvergate

RiSec.Mitch
8 January 2023 0

Featured Posts

cve-2022-38970
Data Security Featured How to InfoSec News Vulnerabilities

ieGeek Security Vulnerabilities still prevalent in 2022 IG20

RiSec.n0tst3
28 August 2022 6
Data Security Featured InfoSec News

Hacking Campaign Steals 10,000 Login Credentials From 130 Different Organizations

RiSec.n0tst3
27 August 2022 0
DDoS
Featured InfoSec News

Google mitigates largest DDoS Attack in History – Peaked at 46 Million RPS

RiSec.n0tst3
19 August 2022 1
Security researcher contacted me
Cybersecurity Academy Featured How to

A Security Researcher Contacted Me – What should I do?

RiSec.n0tst3
30 June 2022 0
google chrome
Featured InfoSec News

Google Chrome extensions can be easily fingerprinted to track you online

RiSec.n0tst3
19 June 2022 0
MFA
Cybersecurity Academy Data Security Featured

3 Steps To Better Account Security

RiSec.n0tst3
21 February 2022 0
hardening vps security
Cybersecurity Academy Featured

HARDEN YOUR VPS: Steps to Hardening your VPS Security

RiSec.n0tst3
10 January 2022 2

Share the joy

Copyright © 2022 RealinfoSec.net. CyberSecurity News & Awareness. All Trademarks, Logos And Brand Names Are The Property Of Their Respective Owners

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies. Cookie & Privacy Policy
Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT
en English
af Afrikaanssq Albanianam Amharicar Arabichy Armenianaz Azerbaijanieu Basquebe Belarusianbn Bengalibs Bosnianbg Bulgarianca Catalanceb Cebuanony Chichewazh-CN Chinese (Simplified)zh-TW Chinese (Traditional)co Corsicanhr Croatiancs Czechda Danishnl Dutchen Englisheo Esperantoet Estoniantl Filipinofi Finnishfr Frenchfy Frisiangl Galicianka Georgiande Germanel Greekgu Gujaratiht Haitian Creoleha Hausahaw Hawaiianiw Hebrewhi Hindihmn Hmonghu Hungarianis Icelandicig Igboid Indonesianga Irishit Italianja Japanesejw Javanesekn Kannadakk Kazakhkm Khmerko Koreanku Kurdish (Kurmanji)ky Kyrgyzlo Laola Latinlv Latvianlt Lithuanianlb Luxembourgishmk Macedonianmg Malagasyms Malayml Malayalammt Maltesemi Maorimr Marathimn Mongolianmy Myanmar (Burmese)ne Nepalino Norwegianps Pashtofa Persianpl Polishpt Portuguesepa Punjabiro Romanianru Russiansm Samoangd Scottish Gaelicsr Serbianst Sesothosn Shonasd Sindhisi Sinhalask Slovaksl Slovenianso Somalies Spanishsu Sudanesesw Swahilisv Swedishtg Tajikta Tamilte Teluguth Thaitr Turkishuk Ukrainianur Urduuz Uzbekvi Vietnamesecy Welshxh Xhosayi Yiddishyo Yorubazu Zulu