From: William A. Rowe, Jr. (wrowerowe-clan.net)
Date: Fri Aug 01 2008 - 15:39:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Steven M. Christey wrote:
> CVE requests can be sent to cvemitre.org or to me directly. My PGP
> key is below, or accessible from the MIT public key server.
> Alternately, you can request them from Candidate Numbering Authorities
> (CNAs) which include the security teams at Red Hat, Microsoft, and
> Debian, or third-party coordinators including iDefense and CERT/CC.
>
> The amount of information you need to provide can vary and is somewhat
> negotiable. We need to be sure how many CVEs to assign.
>
> Naturally, there is no charge for CVE requests. We encourage people
> to try to coordinate with the vendor, since the quality of information
> almost always suffers if you don't do so.

I'd like to expand on Steven's comments; it is usually best to obtain that
CVE from the vendor/project, if they already participate in Mitre. This
ensures that you are not creating a duplicate ID. Of course if they do
not participate, you'll need to follow Steven's directions above.

If they do participate, it ensures that duplicate CVE's won't need to be
discarded. Where your vulnerability overlaps a prior report, you should
be told which CVE applies to your report.

It may be best where you have a cross project/vendor vulnerability to simply
request one first, and then notify each project/vendor affected of the
specific CVE you have allocated at the time you notify them of the
vulnerability.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]