Date: Mon, 22 May 2017 13:16:03 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: How to request a CVE for open source projects On Mon, May 22, 2017 at 12:05 PM, Michael Catanzaro <mcatanzaro@...lia.com> wrote: > Hi, > > I'm aware that the CVE form  can now be used to request CVEs. However, > it does not seem to be designed for requesting CVEs in open source > products. The field "Vendor of the product(s)" says "Please ensure vendors > are on the products and sources list," indicating the intent of MITRE to > restrict usage of the form to specific products. This list  says "For > open source software products not listed below, request a CVE ID through > the Distributed Weakness Filing Project CNA." So, clearly we are supposed > to request a CVE through the DWF project. (Or perhaps via Red Hat, since it > seems like it's willing to allocate CVEs for miscellaneous Linux-related > issues.) > > Anyway, I attempted to request a CVE using the DWF project's request form >  several months ago, but have not yet received any response . So I am > hesitant to request further CVEs from the DWF project, for fear that I > won't receive a response and will wind up needing to make a duplicate CVE > request somewhere else. > Ah, I recently did a large number of CVE assignments, I haven't emailed out to the sequesters yet, yours was https://github.com/distributedweaknessfiling/DWF-CVE-2017-1000000/blob/f2e15ac3468dd382d9ffa3d5acc032c106f3248c/CVE-2017-1000025.json I believe. > > How are other people getting open source CVEs right now? Has anybody else > had luck getting a CVE via DWF? Should I be trying to do this through Red > Hat instead? Or just by filling out MITRE's CVE form even though we're not > really supposed to be using it? > Part of the challenge of the DWF is this is more of an experiment to figure out what we need/how to do it, mostly so I can scale it out/up to the entire Open Source world. So CVEs are a bit slow right now, but that should get better over the next few months. > > Michael > >  https://cveform.mitre.org/ >  http://cve.mitre.org/cve/request_id.html#cna_coverage >  http://iwantacve.org/ >  https://bugzilla.gnome.org/show_bug.cgi?id=752738#c15 > > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ