lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 01 Aug 2008 15:39:18 -0500
From: "William A. Rowe, Jr." <wrowe@...e-clan.net>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
	tsecond@...h.net
Subject: Re: how to request a cve id?

Steven M. Christey wrote:
> CVE requests can be sent to cve@...re.org or to me directly.  My PGP
> key is below, or accessible from the MIT public key server.
> Alternately, you can request them from Candidate Numbering Authorities
> (CNAs) which include the security teams at Red Hat, Microsoft, and
> Debian, or third-party coordinators including iDefense and CERT/CC.
> 
> The amount of information you need to provide can vary and is somewhat
> negotiable.  We need to be sure how many CVEs to assign.
> 
> Naturally, there is no charge for CVE requests.  We encourage people
> to try to coordinate with the vendor, since the quality of information
> almost always suffers if you don't do so.

I'd like to expand on Steven's comments; it is usually best to obtain that
CVE from the vendor/project, if they already participate in Mitre.  This
ensures that you are not creating a duplicate ID.  Of course if they do
not participate, you'll need to follow Steven's directions above.

If they do participate, it ensures that duplicate CVE's won't need to be
discarded.  Where your vulnerability overlaps a prior report, you should
be told which CVE applies to your report.

It may be best where you have a cross project/vendor vulnerability to simply
request one first, and then notify each project/vendor affected of the
specific CVE you have allocated at the time you notify them of the
vulnerability.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ