How to exactly create a CVE?

Question

I found an heap overflow exploit for a vulnerability in git servers. This lead to lucrative operations on various bug bounty programs (GitHub already promised to put me in their top 10).

When it was corrected recently, the case of remote code execution wasn’t identified.
As result, many Linux distributions as well as mainline commercial products like Apple osx still ship affected versions.

So, I think it’s time to make a great publicity around the vulnerability and that a CVE shared across all can would be the best way to achieve this.

This would just take age if I need to contact them all.

Update :

For those seeking about the details, just wait my profile to appear on the main page of this site. I also won’t attempt anything as long as the issue isn’t fixed with the vendor.

https://cve.mitre.org/cve/request_id.html is the formal documentation. Please be responsible with your disclosure, especially if you've found something as dangerous as you claim. Work with the vendors before releasing publically. — Ohnana, Dec 11 '15 at 02:48
@Ohnana : I can’t talk with every vendors. I’m a student who is no longer on vacation (next time is in february). I think it’s time to advertise (as soon as the last bounty will be awarded to me). — user2284570, Dec 11 '15 at 02:52
MITRE is the top-most CNA. Talk to them, and see if they can help you. Unfortunately, disclosure done right takes time. CERT and other teams may be able to lighten your load. — Ohnana, Dec 11 '15 at 02:53
@Ohnana : How can I talk to them ? I don’t even understant which address I should e mail for that one. — user2284570, Dec 11 '15 at 02:55
@Ohnana : I don’t even understant which address I should e mail for that one. — user2284570, Dec 11 '15 at 02:59
@NeilSmithline they told they weren't intersted into that product. — user2284570, Dec 11 '15 at 04:04
As @Ohana mentioned, report the vulnerability to CERT. It's not an email, it's an online form. They'll coordinate with the vendor for you, and get a CVE number assigned. — Xander, Dec 11 '15 at 19:59
@Xander : Git isn’t part of any vendor, and the issue is already fixed. It’s just a possible exploit case wasn’t identified making older version looking as inoffensive. — user2284570, Dec 11 '15 at 20:01
It isn't magical self creating software. It has maintainers, which are the same thing. — Xander, Dec 11 '15 at 20:04
@Xander : The maintainers, are already aware of that case. They fixed the problem before they know about it, so their is nothing they can do. — user2284570, Dec 11 '15 at 20:05
Ok, so you don't need CERT to contact the maintainers for you then. Do you still have a question? — Xander, Dec 11 '15 at 20:10
@Xander : the question doesn’t ask the exact process on how to create one. — user2284570, Dec 11 '15 at 21:56
@Xander : I didn’t got any replies from cert. even after telling them twice. — user2284570, Mar 05 '16 at 12:47

Trey Blalock · Accepted Answer · 2017-03-01T05:17:45.277

As Ohnana also mentioned the way to request a formal CVE is through their intake form.

https://cve.mitre.org/cve/request_id.html

Details from a current snapshot of that website

Main Methods Contact one of the officially recognized CVE Numbering Authorities (CNAs), which will then include a CVE Identifier number in its initial public announcement about your new vulnerability.

Or, contact an emergency response team such as CERT/CC, etc., post the information to mailing lists such as Bugtraq, or provide the information to a vulnerability analysis team.

Alternative Method If you are unable to obtain a CVE Identifier number via the main methods above, you may request a CVE Identifier number directly from the CVE project. To reserve a CVE Identifier number before publicizing a new vulnerability, vulnerability researchers may contact cve-assign@mitre.org and we will provide you with our "CVE-ID Reservation Guidelines for Researchers" document. We will then work with you to assign a CVE Identifier number for the issue while you work through the process of publicly disclosing the vulnerability.

Please review the Researcher Responsibilities. https://cve.mitre.org/cve/cna.html#researcher_responsibilities

Adding a link to the CVE FAQ. https://cve.mitre.org/about/faqs.html

Once a ᴄᴠᴇ ɪᴅ is assigned and bug fixed into master, how much time does it takes to get ᴄᴠᴇ details published ? — user2284570, Mar 05 '16 at 12:48
I'm wondering the same thing as @user2284570. Can you add the info to your answer please? — Aaron Esau, Feb 28 '17 at 06:59
At this time it appears there are no timeline guarantees for any part of the CVE ID granting process. I think it's because there are multiple CNA's and/or it's an internal process metric that doesn't appear to be documented publically. — Trey Blalock, Mar 01 '17 at 05:26

How to exactly create a CVE?

Update :

1 Answers1

Linked

Related