Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Nov 2023 14:22:27 +0100
From: !CVE Team <>
Subject: !CVE: A new platform to track security issues not acknowledged by


The mission of !CVE (read not CVE) is to track, identify and provide a
common space for !vulnerabilities that are not acknowledged by vendors but
still are serious security issues.

This project was presented a few days ago at Black Hat Toronto 2023 [1]
and will also be presented next week at DeepSec 2023 [2].


According to MITRE's CNA rules section 7.1:

       "CNAs are left to their own discretion to determine whether
        something is a vulnerability."[3]

This poses a clear conflict of interest, since the same vendor is the one
deciding whether or not an issue is a vulnerability and therefore whether a
CVE is assigned to their own product or not.

What is a !CVE

    - A common place for !vulnerabilities (read not vulnerabilities)

    - Security issues not covered by the traditional CVE.

    - An identifier following common naming starting with an exclamation
      mark(!) Example: !CVE-2023-0001

How to request a new !CVE ID

The !CVE Project is alive and assigning !CVE-IDs for security issues that
present an advantage for an attacker.

You can request a !CVE ID at:

How !CVEs are assigned

A panel will review !CVE requests and if qualifies, a new !CVE number will
be assigned and details will be publicly available.

How to access to !CVEs details

Using the search engine at or a direct link to the !CVE
entry. For example, the first ever !CVE is available at:!CVE-2023-0001

The search engine combines information from multiple sources and also
searches for regular CVEs in all fields from all sources. For example to
search by credit we can obtain CVE discovered by Google Project Zero:

What qualifies for a !CVE

Examples that qualifies for a !CVE:
    - A security issues that is not acknowledged by the vendor as a

    - A security issue acknowledged by a vendor as technically correct
      but outside their threat model.

    - A notified security issue that has not been assigned a CVE after
      90 days.

    - A published security issue without an assigned CVE.

Examples that do NOT qualify for a !CVE:
    - A software defect with no impact on security.

    - A generic security issue, you need to list one or more
      devices/software affected with your finding.

    - Well known attacks to unencrypted channels to obtain
      credentials: Telnet, FTP, etc.

    - You can read the FAQ [4] for more examples.

In short, we see the !CVE Project as a great initiative to track and
identify security issues that are not acknowledged by vendors but still are
important for the security community.






!CVE Team

[ A PGP key is available for encrypted communications at ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.