I found a security vulnerability in a web app developed by my university. Can it have a CVE number?

Question

I found some serious vulnerabilities in my university's infrastructure. The infrastructure is a web app built with Spring and it's developed and used solely by the University.

Using it I can get sensitive information for all students and gain access to their accounts on the infrastructure. I'm planning to coordinate a vulnerability disclosure.

I am wondering whether I can get CVE numbers for it.

What was not clear? Any answer will simply point you to the CVE page. If you've read it, then you need to explain why the page didn't help you. — schroeder, Mar 16 '20 at 07:44
Does this answer your question? How can I report a new vulnerability to cve.mitre.org such that they assign a CVE ID to it?, How to exactly create a CVE?, CVE submission process?, ... — Steffen Ullrich, Mar 16 '20 at 08:15
It's closed source OK ... but is it distributed in any manner ? If the vulnerable app was developed internally only for your university usage, then there's totally no need of CVE. — binarym, Mar 16 '20 at 10:35
@binarym That's what I was asking. It's closed source and not distributed so can I obtain a cve? Not that I need one. — John Doe, Mar 16 '20 at 10:46
I don't think so... Who cares about a software that is only deployed on your university? Nobody but your university staff. So there's absolutely no interest to have a CVE for such a product.... Just contact your university staff and forget about glory in this case ;-) — binarym, Mar 16 '20 at 11:10
I didn't found a strict reference on CVE site, but if you have a look to wikipedia page, you can read: "MITRE Corporation's documentation defines CVE Identifiers (also called "CVE names", "CVE numbers", "CVE-IDs", and "CVEs") as unique, common identifiers for publicly known information-security vulnerabilities in publicly released software packages." — binarym, Mar 16 '20 at 11:15
Your answer is directly contained within the form to request a CVE ID: "Please ensure vendor or product exists in the Products and Sources list http://cve.mitre.org/cve/data_sources_product_coverage.html" From your description, it's not a "product" it's an internal project. — schroeder, Mar 16 '20 at 11:44

score 5 · Answer 1 · edited Mar 16 '20 at 11:48

The short answer is no.

If it's a closed source product, and it is not off-the-shelf, or distributed, then there is no benefit to having a CVE number assigned.

In fact, the CVE assigning authorities would not consider such a request.

Please ensure vendor or product exists in the Products and Sources list cve.mitre.org/cve/data_sources_product_coverage.html

A CVE number is a way of alerting the public to an issue in applications they might use. It is not a posterity number.

You should contact the responsible persons for maintaining the system and disclose it as soon as possible to them, so that the risk that a malicious actor might find what you have found is minimized.

I found a security vulnerability in a web app developed by my university. Can it have a CVE number?

1 Answers1