Date: Wed, 8 Nov 2023 14:22:27 +0100 From: !CVE Team <contact@...cve.org> To: oss-security@...ts.openwall.com, submissions@...ketstormsecurity.org, fulldisclosure@...lists.org, bugs@...uritytracker.com Subject: !CVE: A new platform to track security issues not acknowledged by vendors ======= Mission ======= The mission of !CVE (read not CVE) is to track, identify and provide a common space for !vulnerabilities that are not acknowledged by vendors but still are serious security issues. This project was presented a few days ago at Black Hat Toronto 2023  and will also be presented next week at DeepSec 2023 . === Why === According to MITRE's CNA rules section 7.1: "CNAs are left to their own discretion to determine whether something is a vulnerability." This poses a clear conflict of interest, since the same vendor is the one deciding whether or not an issue is a vulnerability and therefore whether a CVE is assigned to their own product or not. ============== What is a !CVE ============== - A common place for !vulnerabilities (read not vulnerabilities) - Security issues not covered by the traditional CVE. - An identifier following common naming starting with an exclamation mark(!) Example: !CVE-2023-0001 ============================ How to request a new !CVE ID ============================ The !CVE Project is alive and assigning !CVE-IDs for security issues that present an advantage for an attacker. You can request a !CVE ID at: https://notcve.org/form.php ====================== How !CVEs are assigned ====================== A panel will review !CVE requests and if qualifies, a new !CVE number will be assigned and details will be publicly available. ============================== How to access to !CVEs details ============================== Using the search engine at https://notcve.org or a direct link to the !CVE entry. For example, the first ever !CVE is available at: https://notcve.org/view.php?id=!CVE-2023-0001 The search engine combines information from multiple sources and also searches for regular CVEs in all fields from all sources. For example to search by credit we can obtain CVE discovered by Google Project Zero: https://notcve.org/search.php?query=Google+Project+Zero ========================= What qualifies for a !CVE ========================= Examples that qualifies for a !CVE: ----------------------------------- - A security issues that is not acknowledged by the vendor as a vulnerability. - A security issue acknowledged by a vendor as technically correct but outside their threat model. - A notified security issue that has not been assigned a CVE after 90 days. - A published security issue without an assigned CVE. Examples that do NOT qualify for a !CVE: ---------------------------------------- - A software defect with no impact on security. - A generic security issue, you need to list one or more devices/software affected with your finding. - Well known attacks to unencrypted channels to obtain credentials: Telnet, FTP, etc. - You can read the FAQ  for more examples. In short, we see the !CVE Project as a great initiative to track and identify security issues that are not acknowledged by vendors but still are important for the security community. ========== References ==========  https://www.blackhat.com/sector/2023/arsenal/schedule/index.html#cve-a-new-platform-for-unacknowledged-cybersecurity-vulnerabilities-36144  https://www.deepsec.net/speaker.html#PSLOT667  https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf  https://notcve.org/faq.html --- !CVE Team [ A PGP key is available for encrypted communications at https://notcve.org/contact.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.