Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 8 Nov 2023 14:22:27 +0100
From: !CVE Team <contact@...cve.org>
To: oss-security@...ts.openwall.com, submissions@...ketstormsecurity.org,
 fulldisclosure@...lists.org, bugs@...uritytracker.com
Subject: !CVE: A new platform to track security issues not acknowledged by
 vendors

=======
Mission
=======

The mission of !CVE (read not CVE) is to track, identify and provide a
common space for !vulnerabilities that are not acknowledged by vendors but
still are serious security issues.

This project was presented a few days ago at Black Hat Toronto 2023 [1]
and will also be presented next week at DeepSec 2023 [2].


===
Why
===

According to MITRE's CNA rules section 7.1:

       "CNAs are left to their own discretion to determine whether
        something is a vulnerability."[3]

This poses a clear conflict of interest, since the same vendor is the one
deciding whether or not an issue is a vulnerability and therefore whether a
CVE is assigned to their own product or not.


==============
What is a !CVE
==============

    - A common place for !vulnerabilities (read not vulnerabilities)

    - Security issues not covered by the traditional CVE.

    - An identifier following common naming starting with an exclamation
      mark(!) Example: !CVE-2023-0001


============================
How to request a new !CVE ID
============================

The !CVE Project is alive and assigning !CVE-IDs for security issues that
present an advantage for an attacker.

You can request a !CVE ID at: https://notcve.org/form.php


======================
How !CVEs are assigned
======================

A panel will review !CVE requests and if qualifies, a new !CVE number will
be assigned and details will be publicly available.


==============================
How to access to !CVEs details
==============================

Using the search engine at https://notcve.org or a direct link to the !CVE
entry. For example, the first ever !CVE is available at:
https://notcve.org/view.php?id=!CVE-2023-0001


The search engine combines information from multiple sources and also
searches for regular CVEs in all fields from all sources. For example to
search by credit we can obtain CVE discovered by Google Project Zero:

https://notcve.org/search.php?query=Google+Project+Zero


=========================
What qualifies for a !CVE
=========================

Examples that qualifies for a !CVE:
-----------------------------------
    - A security issues that is not acknowledged by the vendor as a
      vulnerability.

    - A security issue acknowledged by a vendor as technically correct
      but outside their threat model.

    - A notified security issue that has not been assigned a CVE after
      90 days.

    - A published security issue without an assigned CVE.

Examples that do NOT qualify for a !CVE:
----------------------------------------
    - A software defect with no impact on security.

    - A generic security issue, you need to list one or more
      devices/software affected with your finding.

    - Well known attacks to unencrypted channels to obtain
      credentials: Telnet, FTP, etc.

    - You can read the FAQ [4] for more examples.



In short, we see the !CVE Project as a great initiative to track and
identify security issues that are not acknowledged by vendors but still are
important for the security community.


==========
References
==========

[1] 
https://www.blackhat.com/sector/2023/arsenal/schedule/index.html#cve-a-new-platform-for-unacknowledged-cybersecurity-vulnerabilities-36144

[2] https://www.deepsec.net/speaker.html#PSLOT667

[3] https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf

[4] https://notcve.org/faq.html




---
!CVE Team

[ A PGP key is available for encrypted communications at
https://notcve.org/contact.html ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.