[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CACqxkWJMQNvT0GThSimrBm9zKLmRNA73-byd32duCJM4yFiKFw@mail.gmail.com>
Date: Thu, 19 Mar 2015 16:36:37 +0000
From: Nick Boyce <nick.boyce@...il.com>
To: fulldisclosure@...lists.org
Cc: XiaopengZhang <tfrist@...h.net>
Subject: Re: [FD] Regarding how can I request a CVE number?
On 17 March 2015 at 23:25, XiaopengZhang <tfrist@...h.net> wrote:
> I discovered several Vuls and have reported them to
> the vendors, so I'd like to request the CVE for them.
> (The vendor did not want to request CVE)
>
> I ever sent some emails to cve-assign@...re.org for
> applying for CVE. But so far still nobody replys them.
> I dont know what happend about this email box.
> Is my email recognised as spam? Or do I need write
> the email content in a special format?
Maybe you didn't supply all the information required for a CVE to be
assigned ? There are a *huge* number of potential security-related
flaws being discovered in open-source software now as various
researchers pour a lot of effort into auditing - and discussions about
these flaws frequently get bogged down in whether or not the flaw is
"by design" or "as documented" or is just crappy programming but
doesn't actually result in an exploitable vulnerability, etc. The
folks who try to wrestle all this debate into a meaningful menagerie
of useful trackable CVEs only have 24 hours in the day like the rest
of us, and sometimes get overwhelmed.
So they've had to post guidelines for researchers as to the minimum
level of information that needs to be available before a CVE can
usefully be assigned. This includes such things as links to clear
descriptions of when and in which versions the flaw was introduced and
subsequently fixed (preferably with publically accessible repository
commit IDs), and preferably a clear analysis (with faulty source-code
if possible) of what goes wrong and what should have happened instead,
and whether the vendor has been informed, and whether they've
published the fix yet (so it is clear whether to publish full details
in the CVE database yet, or keep them embargoed till the fix is out).
Check whether your request complies:
http://oss-security.openwall.org/wiki/disclosure/cve
(I don't administer any of this - I just follow along at home)
Cheers
Nick
--
Will no-one rid me of this troublesome chair ?
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists